michelangelo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Mode B and visual-validation workflow (SKILL.md) explicitly includes third-party CDNs and web tools — e.g., linking to https://fonts.googleapis.com and in the generated .html and instructing Playwright MCP to open the file/serve the prototype for screenshots — causing the agent's browser to fetch and execute public, external resources which the agent will render and evaluate as part of its validation loop, enabling indirect injection via those untrusted web assets.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs adding/running Playwright MCP using npx (e.g., "npx @playwright/mcp@latest" in the .mcp.json / CLI), which fetches and executes remote package code at runtime and is treated as a required dependency for the visual validation loop, creating a remote-code-execution risk.