coderabbit

This skill document describes plausible and useful functionality for an AI-assisted code-review CLI that integrates with Claude Code. The primary security issues are supply-chain and data-exposure risks: the README explicitly instructs users to install the CLI via an unpinned curl | sh command (download-and-execute), and the workflow encourages sending repository contents and configuration files to external services and running the tool in the background for extended periods. Those patterns are high-risk for credential forwarding and data exfiltration if the installer or remote service is compromised. Functionality (reading repo files, PR comments, running linters) is consistent with the stated purpose, but the install-and-autonomy patterns are disproportionate without additional safeguards (signed releases, checksums, explicit auth flow details, privacy/retention policy). Recommend treating this integration as medium-to-high supply-chain risk until the installer is replaced by a pinned, signed release or more details about authentication, telemetry, and data retention are provided.