pr-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches PR review threads and issue-level comments from GitHub via GraphQL and gh api (see Phase 1b and 1d in SKILL.md) and then reads those user-generated comment bodies to build fix plans and to populate subagent prompts, which could allow malicious comments to inject instructions that influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime GitHub API calls (gh api graphql -> https://api.github.com/graphql and gh api --paginate "repos/{OWNER}/{REPO_NAME}/issues/{PR_NUMBER}/comments?per_page=100" -> https://api.github.com/repos/{OWNER}/{REPO_NAME}/issues/{PR_NUMBER}/comments) to fetch PR comment bodies which are then injected into the generated review plan and subagent prompts, so external content directly controls agent instructions.