deco-to-tanstack-migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests CMS/site data from arbitrary storefront URLs (e.g., the Admin self-hosting flow that calls productionUrl + "/live/_meta" and "/.decofile", the iframe previews at productionUrl + "/live/previews/*", and copying .deco/blocks/) and then uses that data to setMetaData, setBlocks, register sections/loaders and drive migration steps, so untrusted third‑party content can materially influence the agent's actions.