investigating-repository-history

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill (scripts/history_context.py and scripts/compact_pr.py, as well as SKILL.md instructions) explicitly calls the GitHub CLI ("gh api") to fetch PR bodies, files, reviews, inline review comments and issue comments — user-generated, public GitHub content that the agent ingests and uses to infer decision atoms and drive risk/recommendations, so untrusted third-party text can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The scripts call the GitHub CLI at runtime to fetch PR and commit data (e.g., endpoints like "repos/{repo}/pulls/{number}" and "repos/{repo}/commits/{sha}/pulls"), and the returned PR bodies/review comments are injected into the agent's report/context and thus can directly influence the agent's prompts and outputs.