frontend-design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's MCP Server Integration and registry configuration (references/shadcn.md and the components.json examples in SKILL.md) instruct the agent to browse, search, fetch, and install components from external registries (e.g., https://ui.shadcn.com/r/{name}.json, @v0, or arbitrary registries), which are untrusted third‑party sources the agent reads and acts on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the assistant to use the shadcn "MCP" flow which fetches registry JSON from URLs like https://ui.shadcn.com/r/{name}.json (and invokes npx shadcn@latest / shadcn mcp which downloads and runs remote package code) at runtime to browse/install components, so remote content can directly influence agent instructions and execute code.