hydrogen-release-process

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The required runtime workflow for this skill ingests outsider-authored free text via GitHub PR/release PR bodies and changesets (e.g., the “Version PR automatically updates as new changesets are merged” and “release PR … contains … CHANGELOG updates”), which are authored by other contributors and then become readable text in the CI-created PR/LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill states that the "h2 upgrade" command fetches changelog.json from https://hydrogen.shopify.dev/changelog.json at runtime and uses that remote JSON to generate local upgrade instructions and update package.json, so external content from that URL directly controls the agent's instructions/behavior.