autoreview
Warn
Audited by Snyk on Jul 10, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). The required workflow builds a prompt file that includes
diff_for_reviewoutput from the local git working tree/branch/commit (i.e., repository text authored by others), and then feeds that free-form diff text into the LLM via the fallback prompt reviewers’ stdin (claude -p,pi -p,opencode run --file,droid exec -f,copilot -p) and potentially Codex review-mode as well.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs its helper to run nested reviews with "--dangerously-bypass-approvals-and-sandbox --sandbox danger-full-access" by default, which explicitly bypasses security/sandboxing and can grant the agent broad access to the host environment, risking compromise of machine state.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata