electron-scaffold

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill includes auto-update code and publishing settings that fetch and interpret update metadata from public GitHub releases (see "Step 6: Auto-Update Configuration" in SKILL.md and the autoUpdater.setFeedURL / publish: provider: github entries in references/build-config.md), which causes the app to download and act on third‑party content that could carry instructions or code affecting runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The scaffold script runs npm init/npm create which fetch and execute initializers from the npm registry (e.g., https://registry.npmjs.org via commands like "npm init electron-app@latest" / "npm create @quick-start/electron") and the template/app config enables auto-updates from GitHub releases (https://github.com/your-username/your-repo), both of which cause runtime retrieval and execution of external code and are required for the scaffolded app.