full-code-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires quoting "exact code snippet" evidence from the provided diffs and injecting DIFF/CHANGED_FILES into reviewer prompts, which forces the model to reproduce any embedded secrets (API keys, tokens, passwords) verbatim if present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The runtime path injects DIFF and CHANGED_FILES into multiple agent prompts; if those are sourced from outsider-authored PR/branch content (e.g., GitHub PR body/diff authored by someone other than the operating user), then arbitrary free text from that outsider becomes LLM-readable context via git diff ... → ${DIFF} embedded in the reviewer/verifier/synthesis prompts.