forge-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires exact file:line references and short code excerpts for findings, which would force the model to reproduce any secrets present in source files verbatim (creating an exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md's "Scope Determination" explicitly instructs the agent to fetch and read GitHub PR/commit files (e.g., gh pr view <pr_number> / gh pr diff <pr_number>), which are untrusted, user-generated third-party content the agent must interpret to drive review decisions and thus could enable indirect prompt injection.