drupal-update

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses public module metadata and release notes (e.g., via "ddev composer show drupal/[module] --all --format=json" and the scripts/fetch_changelog.php that pulls release pages like https://www.drupal.org/project/.../releases/...), so it ingests untrusted, public third-party content and uses that data to decide compatible versions and drive update actions.