release-note-generation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public GitHub content (e.g., SKILL.md Step 1.1 and Step 3; dump-prs-since-commit.ps1 and collect-or-apply-milestones.ps1 call gh pr view, gh api graphql, and instruct opening the public releases page) — these are untrusted, user-generated PR bodies, comments and reviews that the agent reads and uses to generate summaries, suggest/apply labels and milestones, and drive follow-up actions, so third-party content can materially influence behavior.