design-system-extractor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow and tools (tools/design_system_extractor.py and tools/extract_tokens.py, invoked per SKILL.md) fetch and parse arbitrary public website HTML, CSS, and image URLs and return JSON that the AI is explicitly instructed to read and use to generate output, so untrusted third-party content can materially influence the agent's decisions and outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime Python pre-processor (tools/design_system_extractor.py) fetches the user-supplied target site (e.g., "https://example.com") and any linked CSS/Google Fonts (fonts.googleapis.com) and returns JSON that the AI must base its prompts/output on, so remote content fetched at runtime directly controls the agent's generated instructions/output.