pr-watch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to read and print CI run logs and command outputs (e.g., "<first 25 lines of failure log>" and gh command outputs), which can contain API keys, tokens, or other secrets and therefore may cause the LLM to reproduce secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs "gh run view ... --log-failed" in Phase 1.3 to fetch and read CI failure logs from GitHub Actions (third-party, user-generated content) and uses those logs to determine and apply code fixes, so untrusted external content is directly interpreted and can change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the GitHub CLI at runtime to fetch CI/run logs (e.g., GitHub Actions logs via https://api.github.com or https://github.com///actions/runs//logs) and injects those logs into its fix decision process, so external content directly controls the agent's prompts/actions and is a required dependency.