skills/openhands/skills/setup-pr-review/Snyk

setup-pr-review

Warn

Audited by Snyk on Jun 24, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.75). The workflow template is fetched from a public docs URL at setup time, but at runtime the agent’s LLM context is driven by GitHub PR content (e.g., PR title/body/diffs) authored by outsiders; this is the typical path for indirect prompt injection via PR text.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The workflow explicitly calls a remote composite action (OpenHands/extensions/plugins/pr-review) and directs LLM traffic to the external proxy URL https://llm-proxy.app.all-hands.dev (and instructs fetching the template from https://docs.all-hands.dev/sdk/guides/github-workflows/pr-review), all of which are fetched/used at runtime and thus can execute remote code or control prompts.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Jun 24, 2026, 04:50 PM

Issues

2

Security Audit — snyk — setup-pr-review