flow-next-resolve-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches user-generated GitHub content (review threads, PR comments, and review bodies) via scripts/get-pr-comments and gh GraphQL calls (see Phase 1 in workflow.md and scripts/get-pr-comments), then passes those comments (including synthesized cluster_brief from cluster-analysis.md) verbatim into resolver agents that make decisions, edits, commits, and replies—so untrusted third-party text can influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime GitHub API calls (via gh api/graphql and REST calls to api.github.com / repos/... and parses https://github.com/.../pull/... URLs) to fetch PR review threads and comment bodies which are then passed verbatim as feedback / cluster_brief inputs to resolver agents, meaning remote content from api.github.com directly controls agent prompts.