github-code-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content includes a webhook handler that execSyncs unsanitized PR comment text (and lacks webhook signature verification), plus widespread execution of npx-installed packages and auto-execute hooks—together these create a clear remote code execution / supply-chain risk allowing arbitrary command execution and potential backdoors or data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests untrusted, user-generated GitHub content (PR body, files, diffs, and comments) — e.g., gh pr view/gh pr diff calls and the webhook-handler.js which parses event.comment.body and passes it into execSync/npx commands — so the agent reads and acts on third-party input that could carry injected instructions.