bubble-io-plugins

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's templates and docs explicitly instruct runtime loading and execution of external, public third-party content — e.g., element header.html injects CDN scripts (s.src = 'https://cdn.example.com/lib.min.js') and server-action.js shows runtime fetches to external APIs (fetch('https://api.example.com/data')) — which the plugin code is expected to use during execution and thus can materially influence behavior.