release-notes-generator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly says it "Fetches PR Details: Gets PR titles, descriptions, and labels via gh api" and shows the gh api repos/{owner}/{repo}/pulls/{number} command, meaning the agent reads user-generated GitHub PR content (public/untrusted) and uses it to generate release notes and subsequent actions (CHANGELOG/PR/Slack), so that third-party content could influence behavior.