attach-review-to-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs the agent to call GitHub endpoints (e.g., "gh api repos/{owner}/{repo}/pulls/{pr_number}" and "gh api .../pulls/{pr_number}/files") to fetch PR diffs, file paths, and commit SHAs from GitHub — public, user-generated content that the agent is expected to read and use to decide where and what to comment, which could allow indirect prompt-injection via PR text or code.