yandex-metrica

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's scripts (e.g., scripts/stats.sh, scripts/logs.sh and common.sh) call the public Yandex Metrica API (https://api-metrika.yandex.net, e.g. /stat/v1/data and /management/v1/.../logrequests) and ingest/display user-generated fields such as startURL, title, referer and other log/hit data which the tool reads and uses (for example, using returned request status/parts to drive downloads), exposing the agent to untrusted third‑party content that could carry indirect prompt injections.