integrate-hookmyapp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent/human to run hookmyapp sandbox listen / hookmyapp channels listen and --verbose (see SKILL.md Quickstart steps and Sandbox/Quickstart and Troubleshooting) which streams inbound WhatsApp webhook payloads—untrusted, user-generated third-party content—that the agent is expected to read/interpret for diagnostics and next actions, so these external messages could inject instructions that influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent/user at runtime to clone and run code from https://github.com/hookmyapp/webhook-starter-kit.git (git clone + npm install / npm start), which fetches remote code that will be executed and is presented as a required dependency for the quickstart.