code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CI workflow and prompts explicitly instruct the agent to run gh pr view / gh pr diff and to read PR descriptions and code diffs (e.g., in ci-optimized-workflow.md and the review/triage prompt sections), and it also allows WebSearch and installs an external GitHub skill—therefore it ingests untrusted, user-generated PR/web content which the agent must interpret and which directly drives review decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The CI workflow explicitly installs and invokes the external Vercel skill at runtime via npx (https://github.com/vercel-labs/agent-skills/tree/main/skills/react-best-practices), which fetches and loads remote skill code that the agent uses to guide prompts/behavior, so this is a runtime external dependency that can directly control agent instructions.