qe-github-code-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill includes examples that execute shell commands derived from untrusted PR comments (execSync with comment body) and exposes runtime execution of custom agents and npx-invoked packages, creating clear remote code execution and supply-chain/backdoor vectors if used without strict validation and isolation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated GitHub content (PR bodies, diffs, and comment text) via gh pr view/gh pr diff and a webhook handler as shown in SKILL.md (e.g., "Complete Review Workflow", "PR Comment Commands", and the "Webhook Handler for Comment Commands"), so untrusted third-party content is read and can directly drive agent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes webhook code and auto-fix examples that execute shell commands (execSync, npx, push-changes) using unvalidated PR comment input and automatic pushes/merges, which can lead to arbitrary command execution and modification of the host environment—so it poses a significant risk of compromising the machine state.