github-auto-implement

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally sends repository, issue and PR context (including diffs and comments) to an external LLM process invoked with the flag --dangerously-skip-permissions and runs shell/gh/git commands around that interaction, creating a high-risk pathway for sensitive-data exfiltration and remote/automated command execution by the external model agent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The daemon repeatedly queries GitHub via the gh CLI (e.g., getReadyIssues, findExistingPR, getPRContext) and then injects issue bodies, comments, PR review comments and diffs into the prompts built by buildPrompt/buildRevisionPrompt which are sent to the model, so untrusted user-generated GitHub content can directly influence autonomous decisions and tool use.