load-pr-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The code and SKILL design do not contain obfuscated backdoors or remote shells, but they explicitly and intentionally send unredacted repository diffs and reviewer content to external Codex/Agent calls (per-thread /seek-verdict), and the spec states those diffs are "never recorded in audit log", which constitutes a deliberate data-exfiltration risk (possible leakage of secrets or sensitive code) and a high-risk privacy/abuse pattern when run on sensitive repositories.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches user-generated GitHub PR review comments via GraphQL/REST (see references/api-contract.md and scripts/load-pr-review.js fetchGraphQL/fetchREST), then packages reviewer comment bodies and diffs into mandatory per-thread /seek-verdict calls (SKILL.md Step 2 and references/verdict-triage-prompt.md) whose results directly influence triage, fix selection, and writeback actions, thereby exposing the agent to untrusted third‑party content that can affect behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill calls GitHub at runtime (via gh api graphql and the REST endpoint repos/{owner}/{repo}/pulls/{number}/comments) to fetch reviewer comment bodies which are then injected into per-thread /seek-verdict prompts, so external content from those URLs directly controls agent prompts.