vibe-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires including verbatim "问题代码" snippets from the repository in its report, so if the code contains hard-coded secrets (API keys/tokens/passwords) the LLM will output those secret values directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's PR/MR workflow (pr-review.md Step 3 and Step 4) explicitly clones/fetches from public repository URLs (e.g., "git clone https://{PLATFORM}/{OWNER}/{REPO}.git" and "git fetch origin {REF_FORMAT}:pr-{PR_NUMBER}") and may call platform APIs (gh api), after which the agent reads and reviews the fetched diffs and files—clearly ingesting untrusted, user/third-party content that can directly influence its findings and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime git operations that fetch arbitrary repository content (e.g., git clone --filter=blob:none "https://{PLATFORM}/{OWNER}/{REPO}.git" and subsequent git fetch / gh api calls), which are injected into the agent's review context and therefore can directly control prompts.