adversarial-review

Warn

Audited by Snyk on Jun 13, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow can ingest outsider-authored free text when the user supplies a PR URL/number: it fetches gh pr view ... --json title,body and gh pr diff, and also reads “context files referenced in the PR body,” which are outsider-written content that becomes LLM-readable in Phase 2 (READ) and then in Phase 3 (ATTACK).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches PR artifacts at runtime (via commands like gh pr view / gh pr diff) for inputs such as a PR URL (e.g., https://github.com/org/repo/pull/123), and that fetched PR/diff content is injected into the model prompt to drive the adversarial review, so external content directly controls the agent's prompts.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 11:36 AM
Issues
2