pre-merge-checklist

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's accessibility script (scripts/accessibility-check.sh) invokes npx @axe-core/cli against a configurable BASE_URL (via --url) and accepts a pages file, allowing it to fetch and scan arbitrary public URLs and include those page-derived results in the pre-merge report, so the agent will read/interpret untrusted third-party web content.