canva-ci-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CI workflows and tests clearly make live requests to Canva's public API (e.g., fetch calls to https://api.canva.com/rest/v1/users/me and the token refresh POST to https://api.canva.com/rest/v1/oauth/token shown in the GitHub Actions workflows and integration test files) and consume JSON responses that drive CI behavior (test execution and updating GitHub secrets), so untrusted third-party responses can materially influence actions.