krt-review-herald

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to gather review context from third-party PRs (e.g., "PR URL/number via gh" in Step 1
• Gather Feedback in SKILL.md), which requires reading user-generated GitHub review comments and diffs that the agent will interpret to decide fixes and draft replies, exposing it to untrusted third-party content.