gh-pr-metadata

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly reads the current GitHub PR title and body via gh pr view (and uses the PR body/template from the repository) which are user-generated/untrusted GitHub content that the workflow explicitly reads and uses to validate and rewrite PR metadata, so malicious PR text could materially influence the agent's actions.