thscore-football-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests live data from public third-party endpoints (e.g., GET /football_th/livescores.aspx on www.thscore.info and schedule/league endpoints) and external animation pages (https://www.isportslive8.com via buildAnimationUrl), and it uses those responses to drive behavior such as filtering in-play matches and conditionally embedding WebView/iFrame content, which could allow untrusted external content to influence agent actions.