pr-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks for GitHub tokens, shows curl examples that embed "Authorization: Bearer {token}" (requiring verbatim insertion), and instructs storing the token in a workspace file, which forces the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md Step 2 explicitly fetches PR metadata and the diff from the public GitHub API (api.github.com), and Step 4 requires the agent to read and act on that user-generated PR content to produce review decisions, so untrusted third-party content can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches PR metadata and the raw diff at runtime from the GitHub API (https://api.github.com/repos/{owner}/{repo}/pulls/{pr_number} and the same endpoint requested with Accept: application/vnd.github.v3.diff), and that fetched content is injected into the model context to drive review prompts, so it is a runtime external dependency that can directly control prompts.