review-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests GitHub PR content (e.g., "gh pr view $PR_NUMBER", "gh pr diff $PR_NUMBER", and CHANGED_FILES) — user-generated, potentially public third-party content — and instructs parallel agents to read and act on that diff as core input for findings and review/submit actions (Phase 1/Phase 3), so untrusted content can materially influence agent decisions.