pr-info

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and read user-generated GitHub PR content (reviews, inline comments, and issue comments) via endpoints like repos/$REPO/pulls//reviews, repos/$REPO/pulls//comments and repos/$REPO/issues//comments, which are untrusted third‑party inputs that can materially influence decisions or subsequent actions.