dependabot-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and README explicitly instruct the agent to fetch and parse changelogs/releases from third-party public sources (e.g., GitHub repos and RubyGems.org via "Fetch the changelog" / "https://github.com//releases" and the README's "Network access to fetch changelogs from GitHub and RubyGems.org"), and those untrusted, user-authored pages are read and used to determine merge/verdict actions and PR comments—so externally authored content can directly influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches changelogs and release notes at runtime (e.g., https://github.com//releases and https://rubygems.org/gems/) and injects that external content into its analysis/review workflow, so remote content can directly control the agent's prompts and outputs.