review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md "1. Fetch Latest Changes") instructs the agent to git fetch PRs from upstream (git fetch upstream pull/<PR_NUMBER>/head...) and read diffs, meaning the agent will ingest and interpret user-generated, public PR content from a third-party repository as part of its decision-making and review actions.