github-review-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The exporter (scripts/export_github_review_comments.py) calls gh api/GraphQL to fetch pull request reviewThreads and top-level comments from GitHub (user-generated, third-party content) and the SOP and scripts explicitly treat those comments — including CodeRabbit "Prompt for AI Agents" blocks — as the actionable queue that agents read and use to decide and dispatch follow-up actions, so untrusted comment text can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The exporter fetches GitHub PR content at runtime from the user-supplied PR URL (e.g. https://github.com///pull/) via gh api and will write CodeRabbit "🤖 Prompt for AI Agents" / walkthrough blocks from those comments into worker context files (context/01-coderabbit-walkthrough.md) unless stripped, meaning remote PR comment content can directly control agent prompts.