review-security

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires extracting and reporting exact code snippets (with file paths and line numbers) as evidence for findings—including hardcoded secrets—so it may force the LLM to output sensitive credential values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow (Phase 0 and Phase 3) explicitly instructs the agent to fetch and read files from PRs/commits (e.g., "gh pr view <pr_number> --json files" and git diff-tree) and to grep/read matches across the codebase, which means the agent will ingest untrusted, user-generated repository content from third-party sources and use that content to drive analysis and subsequent actions.