canvas-data-fetching

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to fetch and probe Drupal JSON:API content from a configured CANVAS_SITE_URL (via JsonApiClient and SWR, e.g., the probe script and Articles component) and to dynamically populate filters and component logic from that site data, which is untrusted/user-generated third-party content that can influence subsequent actions.