subagent-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires reviewers to include exact code, concrete diffs, and exact "current code"/"corrected code" in generated findings and summaries, so any secrets present in the repo/PR/context would be reproduced verbatim by the LLM, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches PR and issue bodies and comments from GitHub using commands like gh pr view {N} --json body,comments and gh issue view {N} --json body,comments, saves them to CONTEXT_FILE, and has reviewer subagents read that untrusted, user-generated content as core context that can change review behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls "gh pr view" and "gh issue view" at runtime (GitHub API, e.g. https://api.github.com) to fetch PR/issue bodies and comments which are saved to CONTEXT_FILE and injected directly into subagent prompts, so external content can control the agent's instructions.