server-actions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's references/revalidation.md shows runtime fetches from external APIs (e.g., https://api.example.com/posts) and app/api/webhook/cms/route.ts explicitly ingests webhook JSON (body.event/body.data and body.tag/body.path) from third-party CMS webhooks, which are untrusted external inputs that the code reads and acts on (revalidateTag/revalidatePath).