usgs-water-iv-fetch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's fetch flow explicitly retrieves JSON from the public USGS Water Services endpoint (default USGS_WATER_IV_BASE_URL=https://waterservices.usgs.gov/nwis/iv/ per references/env.md and resources) via scripts/usgs_water_iv_fetch.py (fetch_json -> extract_records) and ingests/parses that third‑party payload into records used by the agent workflow, exposing it to untrusted public web content that can influence downstream behavior.