implementing-scalekit-flask-auth

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill calls out to the external Scalekit identity endpoints at runtime (e.g., client.get_user_info in auth_app/views.py and ScalekitClient.validate/get_user_info in auth_app/scalekit_client.py) to ingest user-supplied claims/permissions, and those untrusted third-party claims are directly used by permission_required/has_permission to make authorization decisions—so external content can materially change behavior.