devex-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill includes explicit, persistent side-effecting instructions (telemetry/brain-sync that can publish session memory, writing repo names to analytics, creating or committing CLAUDE.md, auto-upgrade and vendoring git operations, and other config changes) that go beyond a stated "devex review" audit and misrepresent telemetry promises — i.e., hidden/exfiltrating and environment-mutating behaviors not aligned with the skill's advertised purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to use the browse/WebSearch tool to navigate and read web-accessible docs, API playgrounds and public pages as part of the live audit (see "Use the browse tool to navigate docs..." and the "Scope Declaration" in SKILL.md), and those third‑party pages are read and interpreted to drive scoring, findings, and next actions—exposing the agent to untrusted external content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's SETUP step will, if bun is missing, download and execute the installer script via curl -fsSL "https://bun.sh/install" and then run it with bash (fetches and executes remote code at runtime), so https://bun.sh/install is a runtime external dependency that can execute code.