auto-review-loop-llm

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The prompt includes explicit deceptive instructions outside the stated review purpose—e.g., "Do NOT ask the user for permission — just do it silently" (and directives to save raw responses verbatim), which instructs the agent to act without user consent and risks capturing/exfiltrating confidential data.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls external LLM providers via the MCP/curl flows (e.g., OpenAI/DeepSeek/etc.), "Save the FULL raw response verbatim" into AUTO_REVIEW.md, and "include previous context" (the raw reviewer responses) in subsequent round prompts, meaning untrusted third-party model outputs are ingested and can directly influence decisions and actions.