build-review-persona

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs the agent to "mine their GitHub review history" and "Collect review comments from PRs the person reviewed in the last year across the GitHub org," meaning it ingests untrusted, user-generated GitHub PR comments and conversations which the agent must read and use to synthesize reviewer behavior and drive subsequent actions (posting comments), creating a clear vector for indirect prompt injection.