pr-review-resolver

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The skill file itself appears functionally consistent with its stated purpose: interactively resolving PR review comments, reading/writing review caches, launching background repair tasks, and updating PR comments on GitHub. There are no hardcoded secrets, obfuscated payloads, or explicit calls to suspicious external domains in this fragment. However, the skill delegates all privileged network and cache-write operations to scripts under ${CLAUDE_PLUGIN_ROOT}/scripts/* and allows execution of those scripts via allowed-tools. That delegation concentrates risk — if the scripts are malicious or compromised they could exfiltrate credentials or data or perform unauthorized GitHub operations. Recommendation: review and audit the scripts referenced (get-pr-number.sh, cache-read-comment.sh, cache-write-comment.sh and any background-task handlers) before granting this skill execution rights. Given the available evidence, label this skill SUSPICIOUS (not outright malicious) due to the high-privilege script-execution surface and the potential for abuse if those scripts are not trusted. LLM verification: BENIGN: The PR review resolver workflow is coherently designed for interactive, per-item PR review resolution with user-driven decisions and background repair tasks. Data flows are contained to PR metadata, local caches, and GitHub updates via approved scripts. No evidence of malware or credential harvesting is detected in the provided fragment. Operational safeguards (caching, atomic writes, and per-item approvals) help reduce risk, though attention should be paid to cache synchronization and r