pr-verify

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses user-generated GitHub PR data (e.g., gh pr list/view calls that read PR descriptions, comments such as the / comments, commit messages, and changed files as shown in Step 1, Step 3, and Step 4), and those parsed contents are used to drive verification decisions and merge/push actions, so untrusted third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and checks out PR code at runtime (e.g., via git fetch origin pull/${PR_NUMBER}/head:refs/pr/${PR_NUMBER} and by adding/fetching a fork remote such as https://github.com/${HEAD_OWNER}/$(gh repo view --json name --jq '.name').git) and then runs that code (bun run test / bun run start), so remote repository content is fetched at runtime and executed.