vgv-layered-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow includes a data client that fetches external API responses (packages/user_api_client/lib/src/user_api_client.dart makes HTTP GETs to '$_baseUrl/users/$userId', with baseUrl set in lib/main_development.dart), and those untrusted responses are parsed and propagated through the repository and Bloc layers to drive decisions and UI — so third-party content is ingested and can materially influence behavior.