changeset-validation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill injects repository and PR content into the LLM prompt — e.g., PR body read from the GitHub event payload (GITHUB_EVENT_PATH) and changeset/package diffs and files collected by .agents/skills/changeset-validation/scripts/changeset-prompt.mjs (and it also queries the GitHub API for milestone titles in scripts/changeset-assign-milestone.mjs) — and the LLM’s parsed verdict (required_bump/etc.) is used to drive follow-up actions, so untrusted user-generated PR/diff content can indirectly influence agent behavior.