skills/2025emma/vibe-coding-cn/snapdom/Snyk

snapdom

Warn

Audited by Snyk on Feb 15, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). snapdom explicitly captures and renders page DOM and external assets from public sites (e.g., importing from the unpkg CDN, embedding fonts/images, and a useProxy CORS-fallback option like "useProxy: 'https://cors.example.com/?'") so it can ingest untrusted, user-provided web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill includes CDN import examples that load and execute remote JavaScript at runtime from unpkg (e.g. https://unpkg.com/@zumer/snapdom/dist/snapdom.mjs and https://unpkg.com/@zumer/snapdom/dist/snapdom.umd.js), which constitutes a required runtime dependency that executes remote code.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 15, 2026, 08:29 PM