code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The required workflow fetches a GitHub PR diff (Step 1 A/B) and then “Read the diff and surrounding context in changed files” (Step 2), meaning outsider-authored PR body/diff text from a third party is ingested as readable text into the agent’s LLM context via the fetched git diff/file contents.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill fetches PR diffs at runtime from GitHub (e.g. https://github.com/openshift/lightspeed-console/pull/123) using commands like "git fetch pull//head:pr-" and then feeds the fetched diff content into the model for the review, so remote content can directly control prompts and is a required runtime dependency.