write-changelog

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md "Gather Milestone Items" step explicitly instructs fetching closed issues and merged PRs from the public GitHub repo microsoft/vscode-pull-request-github, which are user-generated/untrusted content that the agent must read and use to classify and compose changelog entries, so external text could influence behavior.