review-github-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to run gh pr diff and gh api repos/{owner}/{repo}/contents/{path}?ref={head_branch} to fetch PR diffs and file contents from GitHub, which are user-generated, potentially public third-party content that the agent must read and act on when producing review comments.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running the GitHub CLI to fetch remote PR diffs and file contents at runtime (e.g., gh pr diff / gh pr view and gh api "repos/{owner}/{repo}/contents/{path}?ref={head_branch}" and the review submission endpoint repos/{owner}/{repo}/pulls/{number}/reviews), which injects raw repository content into the agent's context and thus directly controls its prompts and behavior.