github-code-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains high-risk insecure patterns enabling remote code execution and supply-chain abuse — notably execSync calls that run unvalidated PR comment content, a webhook handler that lacks signature/validation, facilities to auto-commit/push fixes and register custom agents (which can run arbitrary code), and other dynamic npx/command executions that could be abused to exfiltrate credentials or modify repos.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches and ingests user-generated GitHub content (PR bodies, diffs, files, and comment bodies via gh pr view/gh pr diff and the webhook handler that parses event.comment.body), which the agents read and act on—exposing it to untrusted third-party input that could carry indirect prompt injection.