deco-async-rendering-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required runtime flow explicitly reads and resolves CMS page JSON and section rawProps from the site CMS (e.g., findPageByPath/loadCmsPage in resolveDecoPage and the loadDeferredSection server function in src/routes/cmsRoute.ts), which ingests user-authored/public CMS content that the resolver uses to decide components, deferral, and loader actions—so untrusted third-party content can materially influence behavior.