vgv-static-security

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). references/supply-chain.md explicitly instructs auditors to check public pub.dev pages (publisher badges), the GitHub Advisory Database, and to download/run osv-scanner from GitHub/OSV, i.e., fetching and interpreting untrusted third‑party web content that can directly change triage and findings.