maintainer-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required workflow ingests outsider-authored free text when it “Accept[s] a GitHub issue or PR URL as the primary input” and then “read[s] the full report, comments, reproduction… and maintainer responses” (or “inspect[s]… full patch… review discussion”), which includes issue/PR body and comments written by non-operating users into the agent’s LLM context via the GitHub API/browser retrieval path.