changeset-validation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill injects PR body and labels from the GitHub event payload into the LLM prompt (see scripts/changeset-prompt.mjs reading GITHUB_EVENT_PATH and rendering {{PR_BODY}}/{{PR_LABELS}} into references/validation-prompt.md), and also queries the GitHub API in changeset-assign-milestone.mjs, meaning untrusted, user-generated GitHub content is read and directly used to influence validation decisions.