tokenx-auth

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's TokenValidator.fetchMetadata() calls httpClient.get(tokenXWellKnownUrl) and then builds a JwkProvider from metadata.jwks_uri (JwkProviderBuilder(URL(...))), meaning it fetches and ingests external OAuth metadata/JWKs from configurable third‑party URLs and uses that data to drive authentication decisions.