convert-to-pdf

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill directly calls and ingests JSON from a public third‑party API (e.g., GET https://api.xss-cross-service-solutions.com/.../api/<job_id> as shown in SKILL.md and scripts/convert-to-pdf.py), extracts and acts on fields like status and output.files[] (and even returns the raw response), so untrusted third‑party content can materially influence polling, control flow, and returned actions/URLs.