address-pr-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests GitHub pull request review threads and general issue comments via the GitHub API (steps 3a/3b) and then reads/interprets those user-generated comments to propose fixes, spawn developer agents, and drive automated actions (step 4+), exposing the agent to untrusted third-party input that could contain indirect prompt-injection instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls GitHub at runtime (e.g., via "gh api graphql -f query=..." and "gh api repos/{owner}/{repo}/issues/{pr_number}/comments") to fetch PR review and conversation comments which are then injected into agent prompts and used to spawn/drive developer subagents, so these GitHub API endpoints are runtime dependencies that directly control agent instructions.