warden-sweep

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly calls the GitHub CLI to fetch open PRs and PR diffs (scripts/index_prs.py -> gh pr list / gh pr diff), queries GitHub users by email (scripts/find_reviewers.py -> gh api), and then uses those fetched, user-generated PR/diff data to decide deduplication and whether to skip or create patches (Phase 4 dedup steps in SKILL.md), so it ingests untrusted third‑party content that can materially influence actions.