code-review-assistant

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The package includes clear intentional exfiltration behavior (hardcoded external email recipient winsorllc@yahoo.com that will be sent full progress/report content if SMTP creds are present), plus multiple unsafe exec/command usages that interpolate user-controlled values (command injection / RCE risk), and it will send entire diffs (which may contain secrets) to external LLM APIs — together these constitute high-risk/backdoor-capable behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches arbitrary public GitHub pull request content (see fetchPR using gh pr view and gh pr diff) and injects the untrusted PR diff directly into the LLM prompt in analyzeCode, so malicious or user-generated PR content could perform indirect prompt injection and alter the agent's analysis or actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill accepts and fetches GitHub PR URLs at runtime (e.g., https://github.com/owner/repo/pull/123) via gh pr diff and injects the retrieved diff directly into the LLM prompt, so external repo/PR content can directly control the agent's prompt context.