compat-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly runs "gh pr view {number} --repo toss/es-toolkit --json title,body,files" and extracts the PR description and diff (user-generated content on GitHub) to build tests and drive subsequent actions, so untrusted third-party PR text can directly influence the agent's behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses the GitHub repo toss/es-toolkit (via commands like gh pr diff {number} --repo toss/es-toolkit | git apply) to fetch and apply a PR patch at runtime and then run tests, which causes remote code from github.com/toss/es-toolkit to be executed locally.