building-inferencesh-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly shows runtime flows that fetch and ingest untrusted external content—e.g., "File.from() is async — downloads and caches URLs" in references/node-app-logic.md, the "API-Wrapper App Template (Python)" in SKILL.md which posts to external APIs and processes responses, and declared integrations (google.sheets/drive) that read user data—so arbitrary third‑party/user‑provided content is read and can materially affect app behavior.