code-review

Fail

Audited by Snyk on Jul 14, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs sub-agents to "quote the hunk" and present reports "verbatim," which requires reproducing diff/spec lines (and thus any secrets present there) verbatim in generated output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). The workflow ingests the “originating spec” by fetching issue/PR text from an outsider-authored issue tracker (via docs/agents/issue-tracker.md), and then includes that fetched free-form spec content directly in the Spec sub-agent prompt at runtime.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 14, 2026, 10:18 PM
Issues
2
Security Audit — snyk — code-review