pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (see "_review-core.md" Local Environment (With Network Access) and Workflow steps) directs the agent to fetch PR diffs and metadata using gh pr diff / gh pr view from GitHub — user-generated, third-party PR content that the agent reads and acts on (including spawning a Devil's Advocate sub-agent with the diff), so untrusted content can influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches PR diffs and metadata at runtime (via the gh CLI/git commands) and injects that external GitHub content into the agent context — e.g. the PR URL pattern https://github.com/{owner}/{repo}/pull/{PR_NUMBER} — so remote PR content can directly control the agent's prompts.