barba-js

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation and examples show Barba intercepting navigation and fetching arbitrary pages via AJAX (e.g., @barba/prefetch, barba.prefetch, barba.go in SKILL.md and references), and then parsing/using the fetched HTML (next.html) and re-initializing scripts/meta/titles — meaning untrusted public webpages could be ingested at runtime and materially influence behavior.