pr-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and loads remote repository contents (e.g., git fetch/origin and git diff origin/...origin/<current_branch> in Phase 2–3) and reads files from that repo such as CODEOWNERS and the output of gh label list, then uses that untrusted, user-generated content to draft the PR title/body and pick reviewers/labels which directly influence subsequent actions, so it exposes the agent to indirect prompt injection from third-party repo content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs git fetch/git diff against the repository at remote.origin.url (e.g., git@github.com:org/repo.git or https://github.com/org/repo.git) at runtime and uses the fetched diff to directly generate PR titles and bodies, so remote repo content can directly control prompts.