workflow-state

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly relies on external, user-generated GitHub PRs/reviews and their statuses (see references/mcp-tool-reference.md: "cleanup requires verifying PRs are merged via GitHub API" and SKILL.md guards like pr-url-exists and reviews.{name}.status), so untrusted third‑party content from GitHub can be read and can materially influence phase transitions and tool actions.