github-integration

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.92). Mostly legitimate GitHub automation code, but I found multiple high-risk patterns — notably unescaped shell/exec calls that interpolate webhook/PR payloads (command injection / RCE), and extensive use of external agent tooling and network calls (claude-flow, Flow‑Nexus, Slack/webhooks) that increases supply-chain and data-exfiltration risk if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill ingests and processes untrusted, user-generated GitHub content — e.g., webhook payloads, PR/issue titles and bodies, changed files and CODEOWNERS via octokit/gh API and webhook endpoints shown in examples (examples/example-2-webhook-handling.md and example-1), which the agent reads and acts on (auto-labeling, reviewer assignment, changelog generation), exposing it to indirect prompt-injection risk.