building-threat-intelligence-enrichment-in-splunk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and parses public, user-contributed threat feeds (e.g., bin/threatfeed_otx.py and scripts/agent.py call https://otx.alienvault.com and SKILL.md lists TAXII/CSV/API feeds like AbuseIPDB and external TAXII endpoints), ingests those untrusted indicators into KV store lookups, and uses their fields to drive correlation searches and generated descriptions—so third‑party content is read and can materially influence agent behavior.