gh-code-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes explicit instructions to avoid asking the user for approvals and to bundle commands to minimize sandbox prompts—behavior that tries to bypass expected approval controls and is outside the stated code-review purpose, so it is a deceptive/hidden instruction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches and ingests public, user-generated GitHub PR content (via gh pr diff and gh pr view) and explicitly requires the agent to read and act on that content to form review findings and decisions, so untrusted third-party text could influence tool use or actions.