dependency-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs tools that fetch and parse public package registry and advisory data (e.g., npm audit/npm outdated, pip-audit, govulncheck, npx/npm-check and Dependabot config) — i.e., untrusted/user-published package metadata and vulnerability reports from npm/PyPI/etc. are ingested and used to drive decisions like early exits, detailed analyses, and fix/update actions in the workflow (see multiple bash scripts in SKILL.md).