changelog-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill ingests user-generated content from public Git hosting platforms (e.g., GitHub via semantic-release, actions/checkout in the GitHub Actions workflow, git-cliff, and release note templates that read commits/PRs/releases), so the agent is expected to read and interpret untrusted commits/PRs/release descriptions that could contain injected instructions.