defold-project-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The setup script (.agents/skills/defold-project-setup/scripts/fetch_deps.py) parses dependency URLs from the project's game.project, downloads those arbitrary dependency ZIPs (download_to_file / find_game_project_in_zip), reads their game.project include_dirs, and extracts files into .deps — clearly ingesting third‑party content from open URLs that can materially change later tool behavior.