upstream-fix-and-pin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch content from public GitHub endpoints (e.g., the "SHA を取得する" section referencing git ls-remote and codeload.github.com and the "自動化の余地" agent that checks PR/merge status), meaning the agent would read and act on untrusted, user-generated third‑party content that can change its subsequent actions.