muapi-photo-pack-generator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill accepts arbitrary external image URLs (see "Supported inputs: URL" in SKILL.md) and scripts/generate-pack.sh directly uses the --image-url value and passes it to the generation pipeline (generate-image.sh), so untrusted third-party content (public URLs) is fetched and analyzed as part of the workflow and can materially influence prompt construction and tool behavior.