security-audit

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches remote repository/PR content at runtime (e.g., GitHub PR URLs via "gh pr diff " / git remote origin pointing to https://github.com/...), and that fetched content is injected into the model's context and therefore can directly control prompts.