Skills
skills/notque/claude-code-toolkit/pr-pipeline/Snyk

pr-pipeline

Fail

Audited by Snyk on Mar 23, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 0.80). The skill includes an explicit "No Attribution" hardcoded behavior that instructs the agent to hide AI authorship (e.g., "Never add 'Generated with Claude Code'..."), which is a deceptive instruction outside the pipeline's stated purpose of producing high-quality PRs and thus constitutes a prompt-injection risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The skill contains deliberate supply-chain/backdoor patterns: it automates boosting/graduating learned “retro” entries to 1.0 confidence and directly embeds them into agent/skill files (modifying code/behavior without independent human review), and it documents an explicit hook bypass (CLAUDE_GATE_BYPASS) and “no attribution” rule — all of which create a high risk of persistent malicious model/agent poisoning and stealthy behavior changes even though no direct data-exfiltration network calls are present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and follows repository-provided files and remote GitHub data — e.g., "CLAUDE.md Compliance" (hardcoded behavior), Phase 0's classify-repo.py remote classification, and Phase 5 Step 1.5's artifact-driven PR body generation from task_plan.md / verification reports and Phase 6's gh run list/watch — meaning arbitrary repo/GitHub content (user-generated/untrusted) is ingested and used to drive commits, PR content, and pipeline decisions, which can enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill does not request sudo, create users, or edit system files, but it explicitly instructs bypassing a git-submission-gate via CLAUDE_GATE_BYPASS and recommends force-pushing, which are repository-level security bypasses that can compromise state and thus present moderate risk.

Issues (4)

E004
CRITICAL

Prompt injection detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 23, 2026, 04:38 PM
Issues
4