review-agent-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill explicitly targets agent actions on GitHub pull requests and issues (e.g., "reviews, comments on, or merges pull requests (gh pr review, gh pr merge)" in SKILL.md), which are untrusted, user-generated third‑party sources that the agent is expected to read/interpret as part of its workflow, so indirect prompt injection is possible.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The PreToolUse hook runs the command "npx protect-mcp@0.5.5 evaluate --policy ./review-governance.cedar --tool "$TOOL_NAME" --input "$TOOL_INPUT" ..." which fetches and executes remote npm package code at runtime to enforce/deny agent tool calls (i.e., it executes remote code that directly controls the agent's ability to act).