cto-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The runbook explicitly fetches and reads user-generated GitHub content (e.g., via gh api repos/$REPO/contents/CLAUDE.md, gh pr view --json body/comments, gh pr diff, and gh api repos/.../issues) and uses that untrusted third-party content to drive verdicts, labels, merges, and dispatch decisions, so it can enable indirect prompt-injection.