pr-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill reads changed files and explicitly requires quoting problematic code and posting the full review (potentially into PR comments), so if those files contain API keys/passwords or tokens the LLM would be instructed to include those secret values verbatim, creating an exfiltration risk even though CLI auth itself is handled externally.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches PR discussion comments with gh pr view <PR_NUMBER> --json comments in Step 4 and then uses pr_discussion in Step 7 as supplementary context for the review, meaning user-generated GitHub content (untrusted third‑party input) is read and can influence review decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs git fetch origin pull/${PR_NUMBER}/head (i.e. the repository remote such as git@github.com:org/repo.git or https://github.com/org/repo.git) and then reads the fetched PR files into the agent's context to generate the review, so remote repository content fetched at runtime directly controls the agent's prompts.