arkts-sta-playground

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill posts user-provided code to the external ArkTS-Sta Playground API at https://arkts-play.cn.bz-openlab.ru:10443/compile (COMPILE_API_URL in scripts/run_playground.py / SKILL.md) and parses/displays the API's JSON output, so it consumes untrusted third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill posts user-supplied ArkTS code at runtime to the external compile endpoint https://arkts-play.cn.bz-openlab.ru:10443/compile, relying on that service to compile/execute the code, so the URL directly enables remote code execution.