code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly requires fetching and reading PR diffs, full source files, PR descriptions, linked issues, and existing review comments from GitHub (public, user-generated content) as part of the review workflow, so untrusted third‑party text can be ingested and materially influence the agent's review decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires calling the GitHub API at runtime (e.g., https://api.github.com via the gh CLI) to fetch issue comments that contain the "approved API" shape which the agent then uses to control its API-approval verification logic.