docx-templates

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the skill explicitly ingests untrusted, third‑party content at runtime (e.g., fetching arbitrary image URLs via add_image_from_url / ImageHandler.add_image_from_url which uses requests.get, accepting uploaded .docx templates in the FastAPI /templates/upload endpoint, and loading CSV/Excel records in mail_merge_from_csv/mail_merge_from_excel), and those user-supplied templates/data are rendered/interpreted as part of the workflow, so they can materially influence generated outputs.