autofix

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read files and display current code and proposed diffs (and to execute and show CodeRabbit's agent prompts literally), so any secrets present in the repo would be reproduced verbatim in outputs/PR comments or interactive messages, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches unresolved GitHub PR review threads via the GitHub GraphQL API (github.md §2 / SKILL.md Step 3), extracts the "🤖 Prompt for AI Agents" content from those third-party review comments, and explicitly executes those prompts as direct instructions to modify code (SKILL.md Steps 4, 6, and 7), which allows untrusted user-generated content on GitHub to change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses gh api graphql to fetch CodeRabbit PR review threads from GitHub (GitHub GraphQL API at https://api.github.com/graphql) and then directly executes the "🤖 Prompt for AI Agents" content from those comments as instructions at runtime, so external content from that URL controls agent prompts.