electron-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's docs (SKILL.md and references/auto-update.md) explicitly describe electron-updater fetching update metadata and artifacts from public providers (GitHub, S3, generic HTTP URLs) — including parsing latest.yml and releaseNotes — which the updater uses to decide downloads and call actions like quitAndInstall, so untrusted third-party content can materially influence runtime behavior.