skills/kinhluan/rules-quarkus-skills/code-reviewer/Snyk

code-reviewer

Warn

Audited by Snyk on Apr 8, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly instructs the agent to "Use web_fetch to find Google's specific guidance" and lists public URLs (e.g., google.github.io, skills.sh), so the agent will fetch and interpret open/public third‑party web content during its review workflow which can influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The skill explicitly directs using web_fetch at runtime to retrieve external guidance (e.g., https://google.github.io/eng-practices/review/reviewer/ and https://skills.sh/google-gemini/gemini-cli/code-reviewer), meaning fetched remote content would directly influence the agent's instructions and behavior.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 8, 2026, 10:20 AM

Issues

2