upfetch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill is an HTTP client that performs fetches to configured URLs (see SKILL.md and references/client-setup-and-dynamic-defaults.md showing baseUrl and calls like upfetch('/posts') and references/validation-parsing-and-errors.md and other examples where parseResponse awaits response.json()), and parsed responses are then used in lifecycle hooks such as onSuccess/onError — meaning untrusted third‑party responses could be read and materially influence behavior.