deco-api-call-dedup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to fetch and consume VTEX public API responses (e.g., via vtexCachedFetch calls to /api/catalog_system/pub/products/search/{slug}/p, /crossselling/..., and /portal/pagetype/ in slugCache, relatedProducts, and pageTypesFromPath), meaning it reads untrusted third‑party website/CMS content as part of its loader/workflow and that content could materially influence subsequent decisions and tool use.