pr-writer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly instructs the agent to fetch and inspect GitHub PR title/body via commands like gh pr view (see SKILL.md and SPEC.md), which are user-generated third-party inputs the agent must read and that can materially influence decisions about rewriting or refreshing PRs, creating a channel for indirect prompt injection.