github-code-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs LLM-based review agents to generate SECURITY_RESULTS and COMMENTS and post them verbatim into PR review bodies/comments (e.g., gh pr comment/gh pr review --body "$SECURITY_RESULTS"), which can cause any secrets detected in diffs or tool outputs to be included unredacted in generated output and thus exfiltrated.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains high-risk backdoor/RCE patterns: a webhook handler executes untrusted PR/comment content via execSync (no shown signature validation), allowing arbitrary shell commands (and npx package runs) from remote PR comments and enabling code-push/agent-registration abuse/supply-chain execution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill explicitly ingests untrusted, user-generated GitHub content (e.g., PR bodies, diffs, and PR comments via commands like gh pr view, gh pr diff and the webhook handler that runs execSync on event.comment.body) and uses that content to direct agent actions and run commands, which could enable indirect prompt injection.