how-to-send-push-notifications-on-flutter-web-fcm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's service worker and Dart code ingest and forward arbitrary Firebase Cloud Messaging payloads from external senders—see firebase-messaging-sw.js's messaging.setBackgroundMessageHandler (which posts payloads to clients) and firebase_messaging.dart's _mc.onMessage.listen (which adds event.data to a stream)—which exposes the agent to untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The service worker file uses importScripts to fetch and execute remote JavaScript at runtime — specifically https://www.gstatic.com/firebasejs/7.5.0/firebase-app.js and https://www.gstatic.com/firebasejs/7.5.0/firebase-messaging.js — and the skill depends on those scripts to run messaging code, so they are runtime external dependencies that execute remote code.