request-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The request-review script (scripts/request-review) explicitly calls the GitHub CLI / gh API to fetch PR inline comments, issue comments and reactions from GitHub (e.g., repos/.../issues/.../comments and /pulls/.../comments) and interprets their bodies and reactions to decide review outcomes, so it consumes untrusted, user-generated third‑party content that can materially change its behavior.