code-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the Security agent to scan for hardcoded secrets and produce findings (including code suggestion blocks/inline comments) but gives no instructions to redact or avoid printing secret values, which creates a clear risk that secrets found in code would be reproduced verbatim in output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests GitHub PR data (via commands like gh pr view {number} and gh pr diff {number}) and instructs the agents to "Read the PR description" and inject a derived "PR Purpose" into domain agent prompts, so untrusted user-generated PR descriptions/commits from GitHub can directly influence agent analysis and actions.