design-html

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests content from public third-party sources as part of its workflow — e.g., it will curl and run the bun install script from https://bun.sh/install, perform git fetch/merge and gstack-brain-sync with remote repos, and fall back to importing Pretext from the CDN URL https://esm.sh/@chenglou/pretext (all shown in SKILL.md), any of which can supply remote, untrusted instructions or code that materially change behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes a setup step that fetches and executes a remote install script via curl -fsSL "https://bun.sh/install" -o "$tmpfile" and then runs bash "$tmpfile", which is a runtime download-and-execute of remote code (https://bun.sh/install).