land

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls the gh CLI to fetch PR issue comments and review comments via endpoints like repos/{owner}/{repo}/issues/{pr}/comments and repos/{owner}/{repo}/pulls/{pr}/comments (see get_issue_comments/get_review_comments and the wait_for_codex/raise_on_human_feedback logic), and it parses those user-generated comment bodies to decide whether to halt, require changes, or proceed with merging—so untrusted third-party content can directly influence agent actions.