vitest

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's migration workflow and scripts (e.g., README.md and references/MIGRATION_SCRIPT.md plus scripts/quick-migrate.sh and scripts/comprehensive-migrate.sh) explicitly fetch and run third‑party code—using npx/@vitest-codemod, npm installs, and curl to download raw GitHub scripts—so untrusted external content is ingested and can directly influence tooling and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The migration scripts and README instruct fetching and running remote code at runtime (e.g., installing/running the codemod package referenced at https://github.com/trivikr/vitest-codemod and downloading scripts via raw.githubusercontent.com/…/quick-migrate.sh), which will execute external code and is relied on by the automated migration steps.