mcp-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's host fetches and renders external ui:// HTML resources via the MCP resources/read flow (see references/host-integration.md "Resource Fetching" and build-guide examples that expose servers via cloudflared or public connectors like mcpjam.com), and those untrusted View HTMLs can call app.updateModelContext and app.callServerTool (references/patterns.md and protocol.md), which can materially influence the model's next-turn context and tool calls — creating a clear path for indirect prompt injection.