stimulus-coder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill includes explicit controller examples that fetch and ingest external URLs (e.g., references/architecture-patterns.md "targetless controller" load() which does fetch(this.urlValue) and replaces element.outerHTML, and the Dependency Inversion "search" example that await fetch(this.urlValue)), which means untrusted third‑party HTML/JSON provided via data attributes could be read and acted on at runtime.