changelog-gen

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime invocation ("npx ai-changelog") fetches and executes remote package code (source repo: https://github.com/lxgicstudios/ai-changelog), and that executed code constructs the prompts sent to GPT-4o-mini, so external content is fetched at runtime and directly controls agent prompts.