subagent-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill mandates reading full diffs and source files and requires "Fix" sections and before/after code snippets to be included verbatim, which forces the agent to reproduce any embedded secrets (API keys, tokens, passwords) found in the code, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's setup (Section 1.4.1) explicitly runs gh pr view and gh issue view to fetch PR/issue titles, bodies, and comments from GitHub (user-generated/public content) which are written into the review context and then included in the subagents' prompts (Section 1.4.2), meaning untrusted third‑party content is read and can directly influence review findings and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls gh pr view (GitHub API — e.g., api.github.com) at runtime to fetch PR/issue bodies and comments and then injects that content into the subagent Context/Prompts, so remote GitHub content can directly control agent instructions.