migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests external BPA findings from CAM/MCP via fetch-cam-bpa-findings (see references/cam-mcp.md and scripts/bpa-findings-helper.js) and from user-provided BPA CSVs (SKILL.md and bpa-local-parser.js), and those findings are read and used to drive automated migration actions (batch processing and code edits), so untrusted third‑party content can materially influence agent behavior.