github-code-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill includes an HTTP webhook handler that execSyncs unsanitized GitHub event/comment content (remote user-controlled input) and features auto-fix/auto-merge automation that can commit/push changes—together these are explicit remote code-execution/backdoor primitives that could be abused to run arbitrary commands, exfiltrate secrets, or inject malicious code into repositories.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill explicitly ingests untrusted, user-generated GitHub content (e.g., PR bodies, diffs, and PR comments via commands like gh pr view, gh pr diff and the webhook handler that runs execSync on event.comment.body) and uses that content to direct agent actions and run commands, which could enable indirect prompt injection.