review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). Outsider-authored free text from the PR itself is ingested into the LLM context via gh pr diff <ref> (Phase 1 “Diff” block) and gh pr view <ref> --json files (file paths) and then concatenated into the prompts for agents/orchestrate-slice.md / agents/orchestrate-merge.md / agents/orchestrate-verify.md; the PR author is not the operating user.