code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and read PR and issue content from GitHub using commands like "gh pr view", "gh pr diff", and "gh issue view", which are user-generated/untrusted third-party texts that the agent interprets and uses to drive review decisions—so they could carry indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill uses GitHub PR URLs at runtime (e.g., https://github.com/owner/repo/pull/45) via commands like gh pr view / gh pr diff to fetch remote PR title/description/diff and inject that content into the review prompt, so external content can directly control the agent's instructions/context.