pr-writing-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes a hidden {{env}} placeholder that would cause the agent to disclose environment variables (potential secrets) unrelated to the PR-writing-review functionality, i.e., a concealed exfiltration instruction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's script fetches and parses public GitHub PR data (review comments, suggestion blocks, commits, and file contents) using gh API calls such as "gh api repos/{owner}/{repo}/pulls/{pr_number}/comments" and "gh api repos/{owner}/{repo}/contents/{path}" and then feeds those user-generated PR comments and file contents into its LLM analysis, exposing the agent to untrusted third-party content that could carry indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the GitHub CLI at runtime to fetch user-supplied PR data (e.g., a PR URL like https://github.com/org/repo/pull/123 and via the GitHub contents API such as repos/{owner}/{repo}/contents/{path}?ref={ref}), and it injects raw PR comments and file contents into its output (intended for LLM analysis), so remote GitHub content can directly control prompts supplied to an LLM.