e2e-reviewer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md explicitly documents an optional "PR culture check" that calls GitHub CLI commands (gh pr list/view/diff) to read public repository PRs and diffs—user-generated third-party content that the agent would read and use to influence band-aid/fix decisions—so it can ingest untrusted web content that may change its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The scanner script (scripts/scan.sh) can invoke npx to auto-download and execute packages such as eslint-plugin-playwright and @ast-grep/cli from the npm registry (e.g., https://registry.npmjs.org/), which causes remote code to be fetched and run at skill runtime.