huggingface-webhooks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts and parses incoming Hugging Face webhook payloads (e.g., discussion and discussion.comment content delivered to POST /webhooks/huggingface as shown in SKILL.md and the example handlers), which are user-generated, untrusted third-party content and the docs explicitly describe using those events to drive bots, retraining, and other actions — meaning payload content can influence processing and next actions.