code-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly tells the agent to fetch and read pull requests (e.g., "PR URL or number" with commands like gh pr view and gh pr diff), which pulls user-generated GitHub content that the agent must interpret and that can materially influence its review actions, so it exposes the agent to untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs fetching pull request diffs from GitHub at runtime (PR URLs containing "github.com", e.g. https://github.com/...) via commands like gh pr view / gh pr diff, which inject remote content into the agent's prompt and can directly control its instructions.