x-request

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation (SKILL.md and reference/CORE.md / EXAMPLES_SERVICE_PROVIDER.md) shows XRequest being configured to call arbitrary external endpoints (e.g., https://httpbin.org/post, OpenAI and other public API URLs) and to parse streaming responses via transformStream and onUpdate/onSuccess callbacks, so untrusted public API responses are ingested and can directly influence callbacks and provider behavior.