qe-pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly directs the agent to run "gh pr diff " and "gh pr view " to read PR diffs and descriptions from GitHub (user-generated third-party content), which the agent must interpret and act on (including posting reviews), allowing indirect prompt injection via untrusted PR text.