codex-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Step 0 "Code mode" explicitly supports ARGUMENTS as a PR number and runs gh pr diff 123, ingesting the resulting GitHub PR diff (user‑generated, third‑party content) into the assembled Codex prompt that the agent reads and uses to drive its VERDICT/next‑action loop, which could enable indirect prompt injection.