mcp-apps-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the server to fetch and ingest external provider data (JWKS and userinfo) and call public APIs (see references/custom.md and references/authentication/auth0.md — e.g., the GitHub opaque-token verifyToken example that fetches https://api.github.com/user and the use of jwksUrl/jwksVerifier), and those returned claims/fields (ctx.auth.payload / ctx.auth.permissions) are used by tools (e.g., delete-document permission checks) to make authorization and behavior decisions, so untrusted third-party content can materially influence actions.