structural-pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly requires access to PR description, full diffs, and full repository files (see "Inputs required" and "Agent requirements"), meaning it ingests arbitrary user-generated PR content and custom rule files from contributors which the agent is expected to read and can materially influence review decisions and tool actions, enabling indirect prompt injection.