social-login

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and code examples show the backend calling third-party endpoints (e.g., provider.authenticate does httpPost/httpGet to https://github.com/... and https://api.github.com/user) and then using the returned SocialUser fields in SocialLoginController callback to decide binding/login, so untrusted third-party user data is fetched and directly influences authentication/next actions.