audit-completion

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Phase 1 source-scan explicitly includes remote PRs, git history, and reviewer comments (see references/scope-disambiguation.md and references/audit-sources.md which mention gh pr view, PR body, and "reviewer comments") — these are user-generated, potentially public GitHub contents that the agent is required to read and use as evidence to drive status decisions and remediation, creating a clear vector for indirect prompt injection.