review-github-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs cloning and reading arbitrary GitHub pull requests (Mode 2: parsing a https://github.com/owner/repo/pull/123 URL, running gh pr view/gh pr diff and passing the full diff and PR description to parallel review agents), which ingests untrusted, user-generated third-party content that can directly influence subsequent tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Mode 2 explicitly clones a user-supplied GitHub pull request URL at runtime (e.g., https://github.com/owner/repo/pull/123) and then feeds the fetched diff/full repo content into the review agents, so remote repository content can directly control the agent's prompts and behavior.