review-pr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires the agent to search for and report "sensitive data" and to point to exact files/lines (and includes examples showing code snippets and shell/api commands), so when a PR contains hardcoded credentials the agent would likely need to include those secret values verbatim in its generated report or commands unless it is explicitly told to redact them—creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to read PR metadata and content (e.g., "PR description", "linked issues", commit messages, and files like CLAUDE.md / CONTRIBUTING.md) by running gh commands (gh pr view, gh pr diff), which are untrusted, user-generated third-party inputs that the agent is expected to interpret and that can influence its review actions.