github-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The tool explicitly calls "gh pr view" in scripts/github-pr.py (get_pr_info) to fetch PR titles, comments, files and CI info from arbitrary GitHub PRs and also fetches/merges PR branches via git, meaning untrusted, user-generated PR content and code from public repos are read and incorporated into the workflow (and can influence installs/builds), which can materially affect subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs git fetch against the configured remote (the git remote URL, e.g. https://github.com//.git or an SSH remote like git@github.com:owner/repo.git) at runtime to pull PR branches and then invokes package-manager install/build commands that will execute code from that fetched repository, so the remote git URL is a runtime dependency that can execute remote code.