review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests untrusted, user-generated GitHub content (e.g., via "gh pr view", "gh pr diff", and "gh api users/" in Step 1 and is used in the mandatory verification commands in Step 8) and requires the agent to read and act on that PR/diff/author content to drive reviews and tool use, so third-party PR content could inject instructions affecting decisions.