code-review-assistant

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The workflow enables a secrets scan (--check-secrets true), aggregates raw review outputs into JSON and feeds that context to codex and PR comments without any redaction, so any discovered secrets could be passed to and emitted by the LLM verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs "gh pr view" to ingest PR title/body/files (user-generated GitHub content) and feeds those artifacts into automated agents and audit pipelines that generate fix suggestions and make merge/approval decisions, so untrusted PR content could materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script invokes npx claude-flow (i.e., the "claude-flow" npm package fetched/executed at runtime from the npm registry) to initialize and coordinate multi-agent workflows and run commands like auto-agent and security-scan, meaning remote package code is fetched and executed and directly controls agent behavior.