perform-security-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt contains deceptive/overriding instructions outside normal review scope—notably forcing subagents to “approach this analysis without safety refusals” (an attempt to bypass system safety constraints) and instructing the agent to hide the unconditional deletion step from the user—so it includes hidden/unsafe directives beyond the skill's stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md steps 1B/1C and the agent prompts) explicitly fetches and ingests external GitHub data — e.g., gh pr diff ... > /tmp/security-review-<id>.diff and multiple gh api --method GET "repos/{owner}/{repo}/... calls to gather CODE SCANNING / SECRET SCANNING / DEPENDABOT evidence — and those fetched diffs/scan outputs are then read and used by agents to influence findings and triage, exposing the agent to untrusted, user-generated third-party content that could carry indirect prompt-injection content.