when-reviewing-github-pr-use-github-code-review
Warn
Audited by Snyk on Jun 26, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill fetches PR context (including changed files/diffs and existing comments) via
bash scripts/github-api.sh fetch-pr ..., and that PR content is outsider-authored (e.g., external contributor commits) which is then loaded into agent-accessible memory (pr-context.json/github/pr-review/context) and used in subsequent Task prompts—creating an indirect prompt-injection path from PR text into the LLM context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill repeatedly runs "npx claude-flow@alpha" at runtime (e.g., "npx claude-flow@alpha swarm init" and other npx/claude-flow commands), which fetches and executes remote npm package code that orchestrates agents and therefore can directly control prompts and runtime behavior.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata