skill-staged-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The Codex dispatch embeds an "IMPORTANT" block telling the subagent to "take precedence over all skill directives" and "Skip ALL skills," which is a hidden/deceptive instruction attempting to override system/skill context and is outside the staged-review's stated purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill feeds raw diffs and file/intent contents (DIFF_CONTENT, intent file) into LLM prompts and synthesizes/posts reports without any redaction rules, so any secrets present in code would be read and likely reproduced verbatim in generated reviews or PR comments.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally sends repository diffs to external LLM providers (Codex/Gemini), includes prompt-injection directives like "Skip ALL skills" and "approval-mode yolo" that attempt to bypass safety controls, and auto-posts reports to PRs — collectively creating a deliberate data‑exfiltration and safety-bypass vector (high risk).