pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly runs gh pr view and gh pr diff to fetch PR details and diffs from GitHub (user-generated/public PR content) and then reads/acts on that content to drive review decisions and post comments, so untrusted third-party content could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs reading the repository file ".claude/agents/code-reviewer.md" at runtime to drive the review checklist, so fetched content from that file would directly control the agent's prompts/instructions.