security-code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to clone and checkout GitHub repositories and PRs (e.g., "gh repo clone OWNER/REPO", "gh pr checkout ") and to read every changed file and diff from those public PRs, which are untrusted, user-generated third‑party content that the agent must interpret as part of its workflow.