autoreview

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This script builds and sends repository diffs (including untracked files) to external review CLIs (codex/claude/pi/opencode/droid/copilot) and, by default, injects --dangerously-bypass-approvals-and-sandbox/--sandbox danger-full-access, creating a high risk of sensitive data exfiltration and enabling powerful remote actions by the reviewer tooling.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script runs "git fetch origin" (using repo_url from git config: remote.origin.url) when doing a branch review and then embeds the fetched diff (base_ref...HEAD) into the generated prompt file sent to the reviewer, so content fetched from that external Git URL can directly control the agent prompt.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly endorses running nested review with flags like --dangerously-bypass-approvals-and-sandbox and --sandbox danger-full-access, which instructs bypassing sandbox/approval protections and granting full access to the host environment.