address-code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and reads GitHub PR comments (inline and general) via the GitHub CLI/GraphQL and processes review.jsonl entries as part of its triage workflow, meaning it ingests untrusted, user-generated third-party content that can directly influence decisions and subsequent code-change actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly fetches runtime review content from GitHub APIs (e.g., the gh api endpoint pattern "https://api.github.com/repos/{owner}/{repo}/pulls/{pr}/comments" and the related "gh api repos/{owner}/{repo}/pulls/{pr}/comments/{id}/replies" pattern) and also instructs running git pull to retrieve review.jsonl; those externally fetched comments/review files are ingested into the agent's workflow and directly drive prompts/decisions, so this is a runtime dependency that can control the agent.