github-code-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains high-risk insecure patterns—unsanitized execSync use of webhook/comment input (remote code execution/command injection), widespread use of npx (supply-chain risk), and automated auto-fix/merge flows—so while not obviously exfiltrating data or obfuscated, it enables serious RCE/supply-chain abuse if deployed as-is.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directly ingests arbitrary, user-generated GitHub content—e.g., via commands like "gh pr view --json files,body,diff", "gh pr diff", and webhook handlers that read PR comment bodies—and reads/interprets PR descriptions, diffs and comments as part of its workflow, exposing the agent to untrusted third-party input that could carry indirect prompt injection.