i18n-sync

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's CLI explicitly fetches translations from an external API (config.api.url used in pullTranslations in index.js and documented in README/SKILL.md), then parses those returned translation strings to validate placeholders and decide whether validation fails and which locale files/helpers to emit, so arbitrary third-party translation content can materially influence tool decisions and outputs.