pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs the agent to fetch PR details, diffs, comments and reviews from GitHub (via the gh CLI in Local CLI Mode) and to consume injected PR metadata like <formatted_context>, <pr_or_issue_body>, and in GitHub Actions Mode — all of which are untrusted, user-generated third‑party content the agent must read and use to drive review decisions.