hapi

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documentation for @hapi/jwt explicitly allows configuring keys via a JWKS URI (reference: reference/jwt-auth/overview.md "JWKS (JSON Web Key Set) URI"), which causes the agent at runtime to fetch and cache key material from arbitrary external HTTPS endpoints — untrusted third‑party content that directly controls authentication/authorization decisions.