canva-webhooks-events

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill receives and processes user-generated webhook notifications from Canva (handled at POST /webhooks/canva and processed by handleCanvaEvent) and fetches public JWKs from https://api.canva.com/rest/v1/connect/keys, so it clearly ingests untrusted third-party content that can influence actions (e.g., auto-approve, update access control) during normal workflow.