kata-review-pull-requests

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls gh pr view and ingests PR/diff content (see "Check if PR already exists: gh pr view" and the Task prompts that inline <diff>\n{diff_content}\n</diff>), meaning it consumes user-generated GitHub PR data which can influence automated review actions (fixes, issue creation, merges), exposing it to untrusted third‑party content that could inject instructions.