pencil-to-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill ingests and interprets arbitrary .pen design files via mcp__pencil__batch_get and mcp__pencil__get_variables (taking text node content and image src URLs like "https://...") as part of its code-generation workflow, so user-supplied or external design content could carry untrusted instructions.