github

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's worker workflows explicitly fetch and ingest PR review threads from GitHub (see scripts/fetch-threads.sh and references/pr-fix.md / pr-fix-parallel.md), then read/triage reviewer comments and autonomously apply fixes, commit, and resolve threads—meaning untrusted, user-generated GitHub content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches PR threads at runtime via GitHub's API (e.g., gh api graphql -> https://api.github.com/graphql and example PR URLs like https://github.com/owner/repo/pull/123) and injects that fetched review/comment content into LLM prompts to drive automated fixes, so the external content directly controls agent instructions.