This is a GitHub Action that sends pull request content to an LLM via OpenRouter and posts the model's findings as a PR review. The attack surface this repository owns:
- The action's TypeScript — event payload parsing, diff parsing, prompt assembly, LLM response validation, and review submission
- Credential handling —
github_tokenandopenrouter_api_keyarrive as action inputs (environment variables inside the container); they are never logged, persisted, or included in prompts - The Docker image — base image and build stages
- CI/CD workflows — GitHub Actions that test and build the image
By design, the action sends the PR diff, changed-file contents, related-file contents, and the repo's conventions file to the model you configure via OpenRouter. Do not run it on repositories whose code must not be shared with a third-party model provider. Review OpenRouter's privacy policy and your chosen provider's data retention terms.
PR content (diffs, file contents, titles, descriptions) is untrusted input to
the LLM — prompt injection by a malicious PR is part of the threat model. The
action's blast radius is deliberately narrow: its only write operation is
submitting a PR review (comments), it executes no code from the PR, and the
recommended token is a GitHub App installation token scoped to
pull-requests: write + contents: read. A successful injection can produce
misleading review comments, not repository changes.
Untrusted content is wrapped in delimiter tags carrying a per-run random
suffix (e.g. <file-a1b2c3d4e5f6>), so a PR containing a literal closing tag
cannot break out of the wrapper into instruction position — injected text
always stays visibly inside the untrusted-content block.
Please report security issues through GitHub's private vulnerability reporting rather than opening a public issue.
Please include:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The potential impact
You should receive an acknowledgment within 48 hours, and I'll coordinate a fix before any public disclosure.
Only the latest released version is actively maintained. Please upgrade before reporting.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |