visual-explainer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's prompts (e.g., prompts/diff-review.md) explicitly instruct the agent to fetch and read PRs/commit descriptions via commands like "gh pr diff 42" and to "read commit messages and PR descriptions" — these are user-generated, public GitHub contents that the agent is expected to interpret and use to drive review decisions and follow-up actions, creating a clear avenue for indirect prompt injection.