github-pr-reviewer

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The script intentionally provisions an AI agent with terminal/file-editor tools and broad secret lookup access (injecting all named secrets into the conversation), then posts the agent's output to GitHub—this combination enables remote code execution in the runtime and easy exfiltration of secrets (e.g., PATs) if the agent or its prompt is abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The automation builds the LLM prompt from GitHub PR fields and issue labeled event details fetched at runtime via the GitHub REST API (outsider-authored PR description/body, comments, and event metadata are included in _build_review_prompt and sent to create_conversation → /api/conversations), creating an indirect prompt-injection path.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The automation's runtime review prompt explicitly tells the agent to git clone the repository at https://github.com/{REPO}.git and to inspect the checked-out files, meaning arbitrary remote repository content is fetched during conversation execution and can influence or be acted on by the agent (remote code/data entering the agent's execution context).