tldraw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The "Multiplayer with Yjs" section shows connecting to a WebsocketProvider (wss://yjs.example.com) to receive real-time, user-generated document updates, and the skill's editor APIs (e.g., getCurrentPageShapes, onSelectionChange, updateShape) read and act on that live content, so untrusted third‑party data can materially influence behavior.