tauri2-mobile

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill instructs the app to open arbitrary external pages (Google OAuth in the system browser) and to host/use a public callback page (references/authentication.md) and also contains examples that fetch arbitrary URLs (references/frontend-patterns.md and references/rust-patterns.md download/fetch examples), so it clearly ingests untrusted third‑party web content as part of its required OAuth/workflow and those responses can directly affect authentication and app behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The OAuth callback page hosted at your callback URL (e.g., https://your-app.web.app/auth/callback) is loaded in the system browser at runtime and executes remote JavaScript that constructs deep links and forwards tokens, so the skill depends on externally hosted code that runs during the flow.