pr-review-workflow

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This content contains no direct stealthy exfiltration or eval/exec payloads, but it embeds a self‑updating, remotely controlled rule mechanism (compose-agentsmd pointing at an unpinned GitHub HEAD), automated regeneration/staging of AGENTS.md in pre-commit/CI, and mandatory install/run instructions (global npm installs and auto-apply/push semantics) that together create a high-risk supply‑chain/backdoor vector allowing remote policy/code injection and unintended repository modifications.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly requires reading and acting on GitHub PR review threads and reviewer comments (user-generated content) and uses GitHub API actions (e.g., re-requesting reviewers, commenting, and notification APIs) — meaning the agent will fetch and interpret untrusted third-party PR/comments from GitHub as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill mandates running compose-agentsmd at session start which fetches rules from the external git source "github:metyatech/agent-rules@HEAD" at runtime, and those fetched rules directly control agent instructions and are required for operation.