npm-security-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Package Health Assessment" and "Manual verification checklist" include a check-package-health.js script that fetches data from https://registry.npmjs.org/${packageName} and examples that curl https://snyk.io/advisor/npm-package/..., which are public, third‑party sources the workflow instructs the user/agent to read and use to decide installs/allowlists, so untrusted content can influence actions.