pr-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly tells the agent to prompt the user for a personal access token (PAT) when CLI tools are unavailable and to fall back to REST API calls, which implies the LLM will need to accept and embed secret tokens into requests/commands (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches PR/MR comments from third-party GitHub/GitLab APIs or via gh/glab CLI (see "第四步：获取评论数据" with REST GET https://api.github.com/... and glab api .../notes), these comments are user-generated/untrusted content and the skill then analyzes them to produce suggestions and drive actions (see "第六步：分析并输出建议"), so untrusted third-party content can materially influence the agent.