fivem-nui

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly allows externally hosted UI pages (rules/setup.md "External hosting" with ui_page 'https://ui-frontend.example.com/...') and its NUI callback examples (rules/nui-callbacks.md and rules/fullscreen-nui.md) show the agent/game ingesting and acting on browser-provided JSON (e.g., purchases, TriggerServerEvent), meaning untrusted third-party web content could be loaded and materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's setup example shows using an externally hosted UI page (ui_page 'https://ui-frontend.example.com/v1.0.0/index.html'), which would be fetched at runtime and load/execute remote HTML/JS as the NUI (directly controlling UI behavior and executing code), so this external URL is a runtime dependency that can control execution.