workflows-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt instructs agents to suppress/discard findings for specific protected artifact paths and mandates automatic todo creation without user approval, which deceptively narrows/changes the "exhaustive" review behavior and hides potential issues outside the stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests user-generated PR content from GitHub (e.g., "gh pr view --json", GitHub URLs / PR number inputs and "PR content" used by multiple review agents), which is untrusted third‑party content the agent is expected to read and interpret as part of its workflow.