nextjs-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill includes an on-demand revalidation route (app/api/revalidate/route.ts) that ingests JSON from incoming webhooks and directly uses untrusted fields like "path" and "tag" from arbitrary POST requests to call revalidatePath/revalidateTag, so it clearly consumes untrusted third-party content as part of its runtime workflow.