constructive-tooling

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Update Checking with @inquirerer/utils" example (in references/appstash.md / SKILL.md) calls checkForUpdates to fetch update info from public registries (e.g., npm/GitHub) and directly uses result.message to decide warnings/actions, meaning untrusted third-party content can be ingested and influence behavior.