mcp-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's references/patterns.md (section "Loading External Resources (CSP Configuration)" and the "Quick Fetch Pattern" that points to GitHub examples) explicitly describes configuring _meta.ui.csp and allowing connect/resource/frame domains so the MCP App UI can fetch and load arbitrary public web resources (APIs, CDNs, GitHub pages), meaning untrusted third‑party content can be ingested and used to drive tool calls and UI-driven behavior.