github-repo-monitor

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The script intentionally fetches and forwards user secrets (including the GitHub PAT) into spawned conversations and grants those conversations terminal/file_editor and secret-lookup access, creating a high risk of credential exposure, data exfiltration and remote code execution if the agent or triggers are abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The runtime polls GitHub issue/PR comments from outsider-authored users via GET /repos/{owner}/{repo}/issues/comments and GET /repos/{owner}/{repo}/pulls/comments, then injects their free-text comment["body"] plus issue/PR title/body/labels and recent comment bodies into the OpenHands conversation prompt in _build_initial_prompt() / create_conversation().

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script makes runtime requests to https://api.github.com to fetch issue/PR titles, bodies and recent comments which are injected verbatim into the OpenHands conversation prompt, so externally-provided GitHub content can directly control the agent's instructions.