cometchat-android-v6-push

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's FCMService explicitly parses Firebase RemoteMessage.data (see onMessageReceived, handleChatNotification, and handleCallNotification in SKILL.md) and uses fields like "type", "sessionId", and "callAction" to drive actions (show notifications, mark delivered, start/end VoIP), so arbitrary/untrusted push payloads from third-party sources can materially influence runtime behavior.