gentle-ai-chained-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md workflow explicitly instructs using the GitHub CLI (e.g., "gh pr view <PR_NUMBER> --json ..." and creating/inspecting tracker/child PRs) which reads user-generated GitHub PR metadata/diffs (open web content) that the agent must interpret to decide splitting/chain actions, so untrusted third-party content can materially influence its behavior.