vscode-extension-guide

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The AI Customization section explicitly instructs the agent to auto-apply instruction files from repository locations (e.g., .github/copilot-instructions.md and .github/instructions/* via chat.instructionsFilesLocations), so the agent will read user-provided/public repo files (untrusted, user-generated content) as part of its workflow and could be subject to indirect prompt injection.