dmc-py

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documentation explicitly shows fetching and ingesting open third-party content (e.g., loading CDN scripts via external_scripts in references/date-pickers-guide.md and async fetch(url) clientside examples and server-side requests.get(url) in references/callbacks-advanced.md), where the fetched, potentially untrusted data/JS is parsed and used to update UI and drive callbacks—so external content can materially influence app behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime example that injects remote JavaScript via Dash external_scripts (e.g., "https://cdnjs.cloudflare.com/ajax/libs/dayjs/1.10.8/dayjs.min.js" and "https://cdnjs.cloudflare.com/ajax/libs/dayjs/1.10.8/locale/fr.min.js"), which are fetched and executed in clients' browsers to provide date localization (a required runtime dependency), so these external URLs execute remote code during skill runtime.