mf-type-check

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "TYPES_NOT_PULLED" workflow explicitly instructs the agent to call mf-module-info to obtain a remote type file URL and "attempt to fetch it (or ask the user to verify in browser)", meaning the skill will retrieve and act on arbitrary public producer URLs/remoteEntry endpoints (untrusted third‑party content) which can influence subsequent decisions and tool use.