pr-reply

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches reviewer comments from arbitrary GitHub PRs using gh api when given a GitHub permalink or PR number (see "Inputs" and "Resolve input" steps), and those user-generated, public comments are read and used to draft replies, so untrusted third-party content could indirectly inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches GitHub review comment content at runtime using permalinks like https://github.com///pull/#discussion_r (via gh api /repos///pulls/comments/), and the returned comment body is injected into the agent's prompt to draft replies, so external content directly controls runtime prompts.