ci-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests untrusted, user-generated GitHub content — PR diffs and metadata (Step 3a/3b), existing PR comments via fetch-pr-comments.sh (Step 3d), and repository CLAUDE.md files (Step 3c) — and explicitly injects those contents into agent prompts and into deduplication/posting logic (Steps 4–6), so third-party content can materially influence agent decisions and actions, enabling indirect prompt injection.