paperclip-plugin-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports receiving and processing untrusted external content via plugin webhooks (references/manifest-reference.md shows the POST /api/plugins/:pluginId/webhooks/:endpointKey route and the manifest/webhooks capability) and includes worker APIs that handle that input (references/worker-api-reference.md onWebhook and ctx.http.fetch), meaning third-party/user-generated HTTP payloads can be read and drive plugin behavior.