performing-graphql-security-assessment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and code (SKILL.md Step 1/Step 2 curl examples and scripts/agent.py's query and test* functions) explicitly fetch and parse JSON responses from arbitrary target GraphQL endpoints (e.g., https://target.example.com/graphql), treating those untrusted third‑party responses as input that drives vulnerability determinations and subsequent actions in the assessment.