cr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and reads GitHub PR bodies and comments via gh api and worktree fetches as part of the mandatory PR review flows (references/pr-review.md and references/teams-review.md), which are untrusted user-generated third‑party content that the agent uses to form review findings and drive subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches remote PR branches at runtime (git fetch origin pull/{number}/head:pr-{number}) and pulls PR metadata via the GitHub API (gh api repos/{OWNER_REPO}/pulls/{number}/comments), then reads that fetched code/PR body into the agent's context to drive review prompts, so external content directly controls the agent's instructions.