sbom-analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly ingests and interprets user- or vendor-supplied SBOM files and VEX documents (see "Context the Agent Needs" and the Process steps that parse SBOMs and VEX and "Cross-reference vulnerabilities" against NVD/OSV/GitHub), which are open/public or third-party artifacts that the agent must read and whose contents directly drive assessments and remediation actions, creating a clear vector for indirect prompt injection.