review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches PR content via "gh pr view" / "gh pr diff" (Phase 1 in SKILL.md) and injects the resulting CHANGED_FILES and file contents into agent prompts in Phase 3, so arbitrary user-generated PR text and code from GitHub can be read and used to drive decisions and actions (e.g., synthesized findings, TaskCreate, and gh pr review)—creating a clear path for indirect prompt injection.