icp-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md's "Dev Server Configuration" and related workflow explicitly instruct running commands that fetch and parse external data (e.g., icp network status --json and icp canister status ... -i, and references to public recipe/templates on GitHub) so the agent would ingest untrusted public network/URL-provided JSON and IDs and use those values to set cookies, proxy targets, and other runtime behavior, which could materially influence subsequent actions.