pr-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses GitHub review threads, PR reviews, and issue-level comments via the GitHub API (see SKILL.md Phase 1 and references/github-api.md) and then triages those human- and bot-authored, user-generated comments (see references/bot-patterns.md) to generate fix plans and to drive automated fixes/resolves in Phase 3–4, so untrusted third-party content is read and can materially change agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs gh api calls to GitHub at runtime (e.g., the GraphQL endpoint via gh api graphql and REST endpoints like repos/{owner}/{repo}/pulls/{pr}/reviews and repos/{owner}/{repo}/issues/{pr}/comments), and it explicitly extracts bot/human comment content (including “Prompt for AI Agents” and suggestion blocks) from those responses to drive agent prompts and fixes, so remote PR comment content fetched from these URLs can directly control agent instructions.