setup-optimize-code-action

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for the Gemini API key and then embed that key verbatim into CLI commands (e.g., gh secret set ... --body "<THE_KEY>"), which requires the LLM to handle/output the secret directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow and MCP prompt (in SKILL.md and .github/commands/gemini-optimize-code.toml) explicitly instruct the agent to call pull_request_read.get, pull_request_read.get_files, and pull_request_read.get_diff to ingest PR titles, bodies, files, and diffs — untrusted, user-generated GitHub content that the agent must read and act on to produce comments/suggestions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The GitHub Actions workflow fetches and executes remote code at runtime via the external action "google-github-actions/run-gemini-cli@v0" and by pulling/running the container image "ghcr.io/github/github-mcp-server:v0.27.0", both of which are required runtime dependencies that execute external code.