google-apps-script

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's documentation and examples explicitly use UrlFetchApp to fetch arbitrary external URLs (e.g., references/apps-script-api-reference.md "UrlFetchApp" section, the fetchWithRetry pattern in references/patterns.md, and the fetch('https://api.example.com/data') call in assets/spreadsheet-automation-template.js), parse that third‑party content, and then act on it (process data, write to Sheets, send emails), which clearly exposes the agent to untrusted third‑party content that can influence actions.