graphql-and-hidden-parameters

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly directs the agent to perform "JS and mobile bundle route extraction" and inspect frontend code and GraphQL introspection responses from public sites/endpoints to discover hidden parameters, which requires fetching and interpreting untrusted third‑party web/mobile assets that can materially change subsequent actions.