sports-reporter

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and references/sport-mapping.md / references/api-reference.md) explicitly instructs calling sports-skills CLI endpoints like get_news, get_play_by_play, get_event_xg and NBA CDN live feeds that pull public third‑party data (ESPN, Understat, Transfermarkt, OpenFootball, NBA CDN, etc.), and that data is consumed and used to drive article generation—so untrusted third‑party content can materially influence agent behavior.