codex-review-cycle

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly ingests untrusted, user-authored repository content (Phase 0 step 2: commit_messages[] and diff_patch_excerpts are collected and passed into proposal-mode DoD / <review_context>) and also permits external reads of public third‑party sources (Phase 1 step 10 "External-source rule" — dependency crate sources, upstream READMEs, stdlib docs) which are folded into model prompts and used by Claude/codex for validity, DoD drafting, and review decisions, so untrusted third‑party content can materially influence tool behavior despite caller-side "inert data" wrappers.