https-outcalls

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly makes HTTPS outcalls to public third‑party APIs (e.g., "https://api.coingecko.com/..." and "https://httpbin.org/post") via the management canister's http_request and then parses/uses the returned JSON in its workflow (see the SKILL.md GET/POST examples), so it clearly ingests untrusted external content that can influence subsequent behavior.