local-places

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill directly queries the public Google Places API (places.googleapis.com via the local proxy) and ingests untrusted, user/third-party place data (names, addresses, website URIs, hours) which the agent is expected to read and use to drive dialog and follow-up actions (searches, detail fetches), so third-party content could indirectly influence agent behavior.