convex-expo-push-notifications

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests push notification payloads from external senders and then reads/acts on notification.request.content.data to perform deep-linking/behavior (see the response listener in references/client-hook.md and App layout code in app/_layout.ts), and the docs even show sending notifications via exp.host / expo.dev — so untrusted third-party notification content can materially influence app actions.