finalize-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 2 ("Wait for CI") explicitly uses codagent:wait-ci to poll CI and gather pull-request review comments (user-generated PR comments on the repo/remote), and those review comments are read and acted on by codagent:fix-pr, meaning untrusted third‑party content from PR reviews/CI can influence agent actions.