code-security-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and read external web API documentation (up-to-date SKILL.md and references/doc-urls.md using fetch_webpage) and to load and analyze PR diffs/public repository content (code-security-audit SKILL.md, assets/security-review-command.md, and the evals run_eval owner/repo#123 flow), which are untrusted, user-generated third‑party sources that the agent parses and uses to drive analysis and PR comments.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The repository instructs users to copy a remote slash-command file into the agent commands (which will be loaded at runtime) via the GitHub raw URL https://github.com/anthropics/claude-code-security-review/blob/main/.claude/commands/security-review.md?plain=1 — fetching that remote markdown directly injects instructions/prompts the agent will follow, so it can control agent behavior at runtime.