code-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires the agent to read full git diffs and include code snippets/examples in its report, so any secrets present in the diffs (API keys, tokens, passwords) would be reproduced verbatim in the output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md instructs the agent to "Always fetch the latest version of the RFC" from https://raw.githubusercontent.com/... (see references/folio-breaking-changes.md), so the agent will fetch and interpret public third‑party web content that can materially influence review decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs at runtime to fetch and parse the live RFC from https://raw.githubusercontent.com/folio-org/rfcs/refs/heads/master/text/0003-folio-breaking-changes.md, and that fetched content is required and used to control the agent's review logic, so it directly influences agent instructions.