gh-pr-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches and inspects untrusted, user-generated GitHub PR content (e.g., _get_pr_meta calling "gh pr view" and _fetch_pr_refs running "git fetch origin pull//head" then scanning files in the PR worktree), and those contents are interpreted to decide labels/comments and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill performs runtime git fetch of the PR head via "git fetch origin pull//head" (i.e., the repository's origin remote such as git@github.com:org/repo.git or https://github.com/org/repo.git) and can execute fetched code (e.g., running pytest with --run-tests and other repo-native checks), so remote repository content can be executed during runtime.