webhook-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's webhook receiver (app.post('/webhooks')) explicitly accepts and processes incoming webhook payloads from third-party services (e.g., Stripe, GitHub, Shopify) and the sender posts to arbitrary endpoint URLs, so it clearly ingests and interprets untrusted external/web-generated content as part of its workflow.