apm-review-panel

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and passes user-generated PR content (fetched via gh pr view / gh pr diff in SKILL.md step 1 and then included inline in subagent prompts per step 3) into multiple agent threads for interpretation, so untrusted third-party PR diffs can influence panel findings and the orchestrator's label/comment actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill description states the gh-aw workflow imports the panel skill from the remote git reference microsoft/apm#main (https://github.com/microsoft/apm) at runtime, and that imported skill content (SKILL.md/.agent.md assets) supplies the agent prompts and code the agents execute, so this remote repo fetch directly controls prompts and is a required runtime dependency.