review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and reads GitHub pull request content (e.g., via "gh pr diff ", "gh api", and checking out the PR branch) — i.e., untrusted user-generated PR descriptions/diffs/code — and uses that content as part of its review workflow, creating a vector for indirect prompt injection.