heroui-migration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow and scripts (e.g., scripts/get_migration_guide.mjs, get_component_migration_guides.mjs, get_hooks_migration_guide.mjs) explicitly fetch and ingest migration docs from the public URL base https://heroui-git-docs-migration-heroui.vercel.app/docs/react/migration (or an overridden HEROUI_MIGRATION_DOCS_BASE), and SKILL.md instructs agents to always fetch those external docs before applying changes, meaning untrusted third‑party webpage content can directly influence migration actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The provided Node scripts (e.g., get_migration_guide.mjs and get_component_migration_guides.mjs) fetch MDX migration content at runtime from https://heroui-git-docs-migration-heroui.vercel.app/docs/react/migration which is then output/consumed to drive migration instructions, making it a runtime external dependency that directly controls agent instructions.