adversarial-review
Warn
Audited by Snyk on Jun 13, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow can ingest outsider-authored free text when the user supplies a PR URL/number: it fetches
gh pr view ... --json title,bodyandgh pr diff, and also reads “context files referenced in the PR body,” which are outsider-written content that becomes LLM-readable in Phase 2 (READ) and then in Phase 3 (ATTACK).
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches PR artifacts at runtime (via commands like
gh pr view/gh pr diff) for inputs such as a PR URL (e.g., https://github.com/org/repo/pull/123), and that fetched PR/diff content is injected into the model prompt to drive the adversarial review, so external content directly controls the agent's prompts.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata