wp-performance

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to make HTTP requests to a target URL (e.g., capture TTFB with curl, use --url= with wp profile) and to inspect Query Monitor REST headers and _envelope qm properties and Server-Timing headers (see SKILL.md and references/query-monitor-headless.md and references/server-timing.md), so it will read and act on arbitrary site responses that may be untrusted user-generated content.