ah-review-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and ingests user-generated PR metadata and diffs from GitHub (via gh pr view and gh pr diff in Step 4) and then explicitly has the agent and parallel subagents read/interpret the diff file (${DIFF_FILE}) to determine HAS_REACT and to drive which subagents/skills to invoke, so untrusted PR content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill uses the GitHub CLI at runtime (gh pr diff / gh pr view / gh pr checkout) which fetches PR diffs and metadata from github.com (and relies on the repository URL returned by git remote get-url origin, e.g. git@github.com:org/repo.git or https://github.com/org/repo.git); those fetched diffs are injected into subagent prompts (the DIFF_FILE) and thus can directly control the agent context.