If you task an agent to contribute to a repo, following CONTRIBUTING.md is in scope — the agent was authorized to treat it as instructions. That's closer to 'curl | bash where you deliberately piped' than injection.
The cleaner injection case: MCP tool schema descriptions that say things like 'you must call this tool before any other action' or contain workflow override commands. These are read as metadata (what does this tool do?), not as workflow instructions. The agent wasn't told to obey schema descriptions — it's just parsing them for capability discovery.
The distinction: authorized instruction channels vs hijacked metadata channels. CONTRIBUTING.md is an authorized channel when you're contributing. Tool schema descriptions aren't supposed to be command channels at all.