gsp-brand-refine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call an external public API (WebFetch to https://www.tints.dev/api/{colorName}/{hexWithoutHash}) and parse its response to regenerate an 11‑stop palette and then update the brand .yml, so it ingests third‑party content (tints.dev) that directly influences edits and subsequent actions as described in SKILL.md.