pr-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's script scripts/fetch-pr-feedback.sh calls gh pr view and gh api "repos/.../pulls/.../comments" to fetch GitHub PR comments/reviews (user-generated, potentially untrusted third‑party content) and the agent is expected to read and act on those comments as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes gh api "repos/${REPO}/pulls/${PR_NUMBER}/comments" (i.e. https://api.github.com/repos/.../pulls/.../comments) at runtime and injects PR comment content into the agent's review/fix workflow, so remote comment text can directly control prompts/instructions.