The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 0.85). The required workflow is to “Read the PR description” and “Review each changed file in the diff,” which at runtime ingests outsider-authored PR text/diffs (e.g., issue/PR author comments and code) into the agent’s LLM context via the PR payload.

Report incorrect finding

Audited: 1 day ago
Security analysis