pr-watch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md instructs the agent to fetch and parse PR comments via gh api/gh pr commands (e.g., "repos/$REPO/pulls/$PR_NUM/comments" and "gh pr view") — these are untrusted, user-generated GitHub PR comments that the agent must read and act on (reply or change code), which could carry indirect prompt-injection content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues gh api calls at runtime (e.g., gh api "repos/$REPO/pulls/$PR_NUM/comments") to fetch PR comments which are injected into the agent's context and can directly control prompts/behavior, so this external content is a required runtime dependency and flagged.