erpnext

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs the agent to connect to external ERPNext apps via Membrane (e.g., using membrane connection ensure and membrane request) and explicitly states that connection responses can include clientAction.agentInstructions which the AI agent is expected to read and act on, meaning untrusted third-party content from connected apps/APIs can influence the agent's subsequent actions (see SKILL.md's "clientAction.agentInstructions" and the proxy request instructions).