review-changes

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's PR mode explicitly fetches and ingests untrusted, user-generated content (e.g., PR diffs, PR metadata, reviews, reviewComments, comments via gh pr view ... --json reviews,reviewComments,comments and unresolved review threads via the GraphQL query) and may also fetch external Jira ticket details, and the agent is expected to read and act on that content (build exclusion lists, produce findings, and post replies/comments), which enables indirect prompt injection.