github-pr-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches GitHub pull request review threads (scripts/pr-comments.sh calls gh api graphql to retrieve reviewThreads.nodes including comments.body and diffHunk) and SKILL.md directs the agent to read those reviewer comments (user-generated, untrusted) and apply changes, so third-party content directly drives tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes the GitHub API at runtime via the gh api graphql command (GitHub GraphQL endpoint, e.g. https://api.github.com/graphql) to fetch PR review comment bodies — including suggestion blocks — which the skill then instructs to apply verbatim, so the externally-fetched content directly controls the agent's actions and is a required runtime dependency.