building-mechanics
Warn
Audited by Snyk on Mar 6, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill clearly ingests untrusted, user-generated messages from remote players (e.g., BuildingNetworkClient.onMessage / WebSocket in scripts/building-network-manager.js and the server-side onClientMessage -> handlePlaceRequest flow in scripts/building-network-manager.js, plus conflict-resolver and client-prediction handling), so runtime behavior depends on arbitrary third‑party inputs that can change actions/state.
Audit Metadata