gitlab-kiro

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests GitLab MR data and existing MR comments via glab commands (e.g., "glab mr view", "glab mr diff", "glab mr note list") and then feeds the full diff and comment summaries into parallel review subagents and decision logic, meaning untrusted, user-generated MR content from GitLab can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches user-provided GitLab MR URLs (e.g., https://gitlab.com/group/subgroup/project/-/merge_requests/42) at runtime via glab and injects the MR JSON/diff directly into subagent prompts, so external content both controls agent instructions and is required for the review/fix workflows.