auto-review-loop

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple deliberate instructions that bypass user consent and safety checks (silent Bash fallback writes, skipping repo checks), and it enables unrestricted remote code execution and unrestricted disclosure of repository contents to external reviewer backends (including reading config/credential files and sending notifications), creating a high risk of unauthorized data exposure and covert remote actions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly sends project context to external reviewers (mcp__codex__codex and codex exec in Phase A/nightmare) and saves/parses their raw responses as authoritative input for fixes and actions, and even fetches open-web citation data via curl to dblp.org/doi.org, so untrusted third‑party content directly influences tool use and next actions.