unblocked-context-query-prs

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to call context_query_prs against third-party code hosting sources (GitHub, GitLab, Bitbucket, Azure DevOps) and to read and "mine PR numbers, repo names, author/reviewer names" from returned PR data for follow-up queries, so untrusted, user-generated PR content is ingested and used to influence subsequent actions.