clickup-upgrade-migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's adapter.request() implementation fetches live data from the public ClickUp API (e.g., fetch('https://api.clickup.com/api/v2...') in src/clickup/adapter.ts) and the SKILL.md workflow/test examples call adapter.getWorkspaces(), meaning untrusted, user-generated ClickUp content is ingested and used to drive adapter behavior and subsequent actions.