changelog-composer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests user-generated GitHub content — e.g., "Extract PR titles — gh pr list --state merged ..." and parsing PR descriptions/commit messages in SKILL.md Phase 1 — which are untrusted third‑party sources whose text is read and used to classify changes and decide changelog output, allowing injected instructions to influence behavior.