ai-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs running cat ~/.ai-review/credentials.json, which would expose raw GitLab credentials to the agent/output and therefore requires the model to handle secret values verbatim (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches Merge Request content from arbitrary GitLab URLs via "ai-review get-context <MR_URL>" (writes ~/.ai-review/mr-context.json) which the agent is required to read/analyze (Step 5) and can then use to decide and execute actions like posting comments (Step 8), exposing it to untrusted, user-generated third‑party content from GitLab.