connector-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt goes beyond a review role by instructing the agent to "immediately fix all blockers, warnings, and actionable suggestions" (Step 8) and modify/update PRs without asking, which is an instruction to change code/behavior outside the skill's stated review-only purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests untrusted, user-generated GitHub PR content (e.g., "gh pr diff {PR_NUMBER}" and "gh pr view {PR_NUMBER} --json body" in SKILL.md and the analyze_connector.py workflow), reads PR diffs/descriptions/commit messages as part of its review workflow, and uses those inputs to drive analysis, produce findings, and perform actions (post edits/comments and apply fixes), so third-party content could indirectly inject instructions despite stated trust-boundary mitigations.