capawesome-live-updates

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and API explicitly fetch and apply web bundles from Capawesome Cloud and arbitrary self‑hosted URLs (e.g., SKILL.md auto-update/sync steps; references/plugin-api.md methods fetchLatestBundle/downloadBundle; references/advanced-topics.md self-hosting via apps:liveupdates:register and CLI upload), which are untrusted third‑party web assets that the runtime will download and can materially change app behavior.