autoreview

Warn

Audited by Snyk on Jul 10, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). The required workflow builds a prompt file that includes diff_for_review output from the local git working tree/branch/commit (i.e., repository text authored by others), and then feeds that free-form diff text into the LLM via the fallback prompt reviewers’ stdin (claude -p, pi -p, opencode run --file, droid exec -f, copilot -p) and potentially Codex review-mode as well.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs its helper to run nested reviews with "--dangerously-bypass-approvals-and-sandbox --sandbox danger-full-access" by default, which explicitly bypasses security/sandboxing and can grant the agent broad access to the host environment, risking compromise of machine state.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 10, 2026, 03:30 PM
Issues
2
Security Audit — snyk — autoreview