team-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching PRs/issues with commands like "gh pr view --json title,body,files" and "gh issue view --json title,body,comments" and to provide each subagent with the full target context (diff, file contents, etc.), so the agent ingests user-generated GitHub/PR/issue content that could contain untrusted instructions influencing its actions.