nextjs-app-router

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's main instructions and examples explicitly include server-side fetch() calls to external APIs (e.g., app/users/page.tsx: getUsers fetch(${process.env.API_URL}/users) and numerous fetchPost/fetchProduct examples) and an "External Data Fetching" warning in SKILL.md noting that Server Components process untrusted external API content, so the skill clearly ingests untrusted third‑party content that the app is expected to read and that can affect behavior (rendering, routing, metadata, revalidation).