react-19-plugin-migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs running third-party tools fetched from the public npm registry (e.g., "npx -y @grafana/react-detect@latest" in Step 2 and "npx @grafana/create-plugin@latest update" in Step 3), and the output of those tools is read and used to decide subsequent migration steps, so untrusted external content can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running npx commands that fetch and execute remote npm packages at runtime (e.g., "npx @grafana/create-plugin@latest" and "npx -y @grafana/react-detect@latest"), which download and run external code and are required for the migration steps.