release-plannotator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Phase 1 workflow explicitly tells the agent to fetch and ingest public, user-generated GitHub content (e.g., "gh pr view " and "gh api .../issues//comments" in Phase 1 Step 2) — and the included reference notes even describe agent-facing label tips — meaning untrusted third‑party content is read and can alter the agent's wording and actions, enabling indirect prompt injection.