loom-dependency-scan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs checking "CVE databases" and using tools/actions that query public sources (e.g., npm audit, pip-audit, govulncheck, trivy, Snyk, and GitHub/GitLab security alerts in the provided GitHub Actions examples), which ingest untrusted public vulnerability/advisory data that the agent is expected to read and use to drive remediation and other actions.