pr-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly runs gh pr diff <pr> and gh issue view <N> --json title,body,labels (Step 1 and related steps) to read PR diffs and linked issue bodies from GitHub—user-generated, potentially untrusted content—which the agent must interpret to decide fixes, commits, and review comments, allowing indirect instruction injection.