ziw-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Outsider free text can enter the LLM context via PR bodies/issues/wiki/discussion threads authored by others when the workflow “fetch[es] remote state” and “give[s] the reviewer the PR URL… linked tracker issue… and the few intent docs needed,” which implies the subagent/worktree reads those outsider-authored texts (PR/issue content) into its prompt.