action-cable-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md shows server broadcasts of user-generated payloads (e.g., EventsChannel/ChatChannel/NotificationsChannel) that include data.html which client handlers (events_channel.js, chat_channel.js, notifications_channel.js) insert into the DOM via innerHTML/insertAdjacentHTML or dispatch as events, meaning untrusted third‑party content is ingested and can influence runtime behavior.