utility-update-pm-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The updater explicitly fetches and parses public GitHub release data and release notes (via the GitHub API / repository URL https://github.com/product-on-purpose/pm-skills and CHANGELOG.md) as part of its mandatory pre-flight and preview steps, so untrusted third-party content is read and can materially influence update decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill, at runtime, fetches release metadata, release notes, and the release ZIP from https://github.com/product-on-purpose/pm-skills (including the GitHub API endpoint /repos/product-on-purpose/pm-skills/releases/latest) and injects that remote content (CHANGELOG/release notes) into the preview/report and update flow — remote data that directly drives the agent's outputs and the files written, and is required for the updater to operate.