component-search

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly calls out searching and importing from the web component database (via "pcb search -m web:components -f json" and "pcb new component --component-id ..."), downloading supplier-sourced artifacts (CSE, LCSC, DigiKey) and generated component files/datasheets that the agent must parse and then use in the design workflow, which exposes it to untrusted public third-party content that can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs runtime imports of remote registry modules such as "github.com/diodeinc/registry/components/AP2112Kx/AP2112Kx.zen" (and "github.com/diodeinc/registry/components/TPS54331D/TPS54331D.zen"), which are fetched as required dependencies and can contain .zen module code that will be executed/loaded into the build/runtime environment.