pr-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and parses user-generated GitHub PR comments (via commands like gh pr view ... --json comments), explicitly loads and outputs the cached review report and the block into the conversation in Steps 3b and 6, and then uses those parsed values to drive decisions (review/fix/merge), so untrusted third-party PR comment content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime git fetches from the repository remote (e.g., git fetch origin pull/${PR_NUMBER}/head — i.e. the repo remote such as git@github.com:ORG/REPO.git or https://github.com/ORG/REPO.git) and then runs project tooling in a temporary worktree (bunx tsc, bun run lint:fix), which is clear high-confidence evidence that externally fetched code is executed at runtime and is required for the automation (conflict resolution/quality checks).