canva-upgrade-migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and interprets live content from Canva's public sites/APIs (e.g., the changelog at https://www.canva.dev/docs/connect/changelog/, the OpenAPI spec https://www.canva.dev/sources/connect/api/latest/api.yml, and calls to https://api.canva.com/rest/v1 such as /brand-templates), and those third‑party/user-generated responses and headers are read and used to drive migration and upgrade decisions.