relay-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and ingests user-authored GitHub content (PR diffs and issue/PR bodies) via gh (see loadDiff and loadDoneCriteria in scripts/review-runner/context.js which call "gh pr diff", "gh issue view", "gh pr view"), then inserts that untrusted content into the reviewer prompt (see references/reviewer-prompt.md and the prompt built/written by review-runner.js) which the reviewer adapters (invoke-reviewer-*.js) feed to models to produce verdicts and redispatch prompts—so arbitrary third-party text can materially influence model decisions and follow-up actions.