setup-checks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Step 3 explicitly instructs the agent to fetch PR review comments via the gh CLI (gh api repos/{owner}/{repo}/pulls/{number}/comments), which are user-generated, untrusted content that the agent must read and use to decide what checks to create—so those comments could indirectly inject actionable instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow installs and runs the external agent CLI "@anthropic-ai/claude-code" at runtime (npm install -g @anthropic-ai/claude-code — https://www.npmjs.com/package/@anthropic-ai/claude-code), which executes remote code and is then used to run prompts built from repo/PR content, so this is a runtime external dependency that executes code.