convex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "HTTP Actions (Webhooks)" section shows the skill reads and JSON-parses incoming webhook bodies (request.text() / JSON.parse(body)) and then runs mutations (ctx.runMutation(api.payments.handleWebhook)), which clearly ingests untrusted third-party content (webhook payloads) that can influence subsequent actions.