review-github-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests untrusted, user-generated GitHub PR content (PR diffs, descriptions, commit messages, and changed files via gh pr view, gh pr diff, and repo cloning from arbitrary PR URLs) and passes that content to sub-agents to analyze and drive review decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Mode 2 explicitly clones and fetches PR data at runtime from URLs like https://github.com/owner/repo/pull/123 (using gh repo clone / gh pr diff) and injects the diff and PR description into review agents' prompts, so remote repo content can directly control the agents' input.