agent-reviews

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow (Step 2–3) and scripts/comments.js explicitly fetch PR review comments from the GitHub API (fetchPRComments) and present full comment bodies and diff hunks for the agent to read and act on (fix code, commit, and reply), meaning untrusted user-generated content can directly influence the agent's decisions and tooling.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches PR review comments at runtime from the GitHub API (e.g. https://api.github.com/repos/${owner}/${repo}/pulls/... and https://api.github.com/repos/${owner}/${repo}/issues/...) and uses those comment bodies to drive the agent's decision-making and code changes, so external content can directly control agent instructions.