barcode-capture-android

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md and references/integration.md explicitly require the agent to fetch and read external public documentation and pages (e.g., https://central.sonatype.com/artifact/com.scandit.datacapture/barcode and https://docs.scandit.com/...), and those fetched third‑party pages are expected to be interpreted and used to determine API usage and drive code changes, so external content can materially influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to fetch external documentation at runtime (for example https://central.sonatype.com/artifact/com.scandit.datacapture/barcode to extract the latest SDK version and https://docs.scandit.com/data-capture-sdk/android/barcode-capture/api.html to verify APIs), and that fetched content is required and will directly shape the agent's produced instructions — therefore it is a runtime external dependency that controls prompts.