review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to read GitHub PR descriptions and diffs (e.g., "Read PR description and diff" with commands like gh pr diff <PR> and git diff "$MERGE_BASE"..pr-<PR>), which are untrusted, user-generated third-party content that the agent must interpret as part of its workflow and that can materially influence review decisions and actions.