paraglide-js

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation and required project configuration explicitly reference and load remote plugin/module URLs (e.g., project.inlang/settings.json "plugin"/"modules" entries and "$imports" using https://cdn.jsdelivr.net/...) which the compilation/runtime steps (see references/setup.md and SKILL.md compile examples) will fetch and execute, exposing the agent to untrusted third‑party content that can alter behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's inlang project settings reference remote JS modules that are fetched and executed as required plugins/SDKs at compile/runtime (e.g., https://cdn.jsdelivr.net/npm/@inlang/paraglide-js@2/dist/plugin.js, https://cdn.jsdelivr.net/npm/@inlang/plugin-message-format@latest/dist/index.js, and https://cdn.jsdelivr.net/npm/@anthropic-ai/sdk@latest/dist/index.js), which constitute runtime external code execution and thus pose a risk.