work-with-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's verification loop (Phase 3: Gate A and Gate C) explicitly instructs the agent to fetch and parse untrusted, user-generated GitHub content—CI run logs via gh run view and PR review bodies via gh api "repos/${REPO}/pulls/${PR_NUMBER}/reviews" (including cubic-dev-ai[bot] comments)—and then act on the parsed findings to determine fixes, commits, and pushes, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill uses a runtime GitHub API call (gh api "repos/${REPO}/pulls/${PR_NUMBER}/reviews" — i.e., https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews) to fetch Cubic bot review text which the agent parses to decide what fixes to make, so external content directly controls agent instructions at runtime.