review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires including diff hunks and "evidence" (file:line or diff) in findings and can instruct the agent to present exact before/after code, which would force the LLM to reproduce any secrets present in the reviewed artifacts verbatim — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Phase 1a instructions explicitly tell the agent to run "gh pr diff " and to ingest the "PR description and linked issues" (SKILL.md Phase 1a), which means the agent will fetch and interpret user-generated, public GitHub content that could contain untrusted instructions influencing its review actions.