vipshop-user-login

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly calls public endpoints on https://passport.vip.com (initQrLogin, getQrImage, checkStatus) and the SKILL.md plus vip_login.py explicitly instruct the agent to extract the machine-readable JSON payload between [VIPSHOP_QR_PAYLOAD_BEGIN]/[END] (qrImageUrl/qrToken) and to read poll responses (StatusPoller.check_status) to decide next actions (display QR, poll, save cookies), so untrusted third‑party responses can materially influence the agent's behavior.