qe-github-code-review

The skill description coherently outlines a multi-agent code review workflow and provides concrete commands for orchestration, which aligns with its stated purpose. However, there is a dangerous and high-risk anomaly: the webhook-handler.js snippet demonstrates executing shell commands derived from webhook payloads without input validation or authentication. If deployed, this creates a powerful remote command execution pathway that could be abused to perform arbitrary actions on the host or repository. Given the presence of this unprotected execution path, the overall footprint is suspicious and potentially dangerous. The rest of the components (multi-agent review orchestration, PR interactions via GitHub CLI, and custom agents) are reasonable for the intended purpose, but the insecure webhook handling significantly escalates risk. Treat this as SUSPICIOUS to HIGH risk pending secure redesign (explicit input validation, signature verification, least-privilege tokens, and removal or hardening of untrusted exec paths).