pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "获取 PR 信息" workflow explicitly runs gh pr view/gh pr diff to fetch PR titles, bodies, files and diffs from GitHub (user-generated, potentially public third-party content), which the agent is expected to read and use to generate reviews and post comments, so external PR content could indirectly inject instructions.