whats-new

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill explicitly fetches the public raw GitHub changelog (https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md in Step 3) and directly parses and injects those entries into prompts and spawned research agents, so arbitrary/modified changelog content could carry instructions that influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches the changelog at runtime from https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md and injects those fetched entries directly into spawned agent prompts (and relies on that fetch to determine what to run), so the external URL directly controls agent instructions.