oh-pr-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses user-generated PR data and comments from public GitCode and defects from the DCP API (see SKILL.md modes 3–5: "Fetch PR comments", "list_pr_files", "get_pull_request" and scripts/fetch_gate_defects.sh calling https://dcp.openharmony.cn), and the agent uses that untrusted content to decide and perform code fixes, commits, and pushes—so third-party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls the DCP codecheck API at runtime (e.g. https://dcp.openharmony.cn/api/codecheckAccess/ci-portal/v1/event/{ciEventId} and the related task endpoint used by scripts/fetch_gate_defects.sh) to fetch defect JSON that is parsed and injected into the workflow to decide and drive automatic fixes, so this external URL is used at runtime and directly controls the agent's actions.