pre-merge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's review-checklist explicitly requires the agent to query public package registries and external docs (e.g., "confirm it resolves on the registry (npm view <pkg> version" and "a short docs lookup is sufficient") and to read upstream PR/issue and package/type-definition state, so it ingests untrusted, user-generated third‑party content that materially informs review decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly runs GitHub CLI commands at runtime (e.g., "gh pr diff " and "gh issue view "), which fetch PR diffs and issue bodies from GitHub (https://api.github.com) and inject that external content directly into the agent's review context, so remote content controls the agent's prompts.