backend-dev-guidelines

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill documents and activates for building public REST API endpoints (web/src/pages/api/public/, e.g., POST /api/public/scores which calls processEventBatch and ingests request bodies), so it clearly accepts and processes arbitrary external/user-provided content from third parties via those public API routes.