dependabot-review

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt explicitly instructs the agent to omit any attribution and make PR comments "read as if written by the user," which is a deceptive direction (to hide automated origin) not required for the review task and thus constitutes prompt-injection-like behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 2 ("Review Changelog & Breaking Changes") explicitly instructs the agent to fetch and parse changelog files and release notes from external GitHub repositories and RubyGems (public third-party content), which the agent must read and interpret to form merge recommendations that materially influence its decisions and actions.