vueuse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's composable docs explicitly show and enable fetching arbitrary public URLs (e.g., useFetch and useAsyncState examples fetching https://jsonplaceholder.typicode.com/todos/1, useImage loading https://place.dog/300/200, useEventSource('https://event-source-url'), and wrappers like useAxios/useFetch) and describe hooks (afterFetch/onFetchError/beforeFetch) that consume and act on that remote content, meaning untrusted third‑party content can be read and materially influence behavior.