widget-design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill includes widget examples that fetch and render third-party web content (e.g., src/tools/weather.tsx performs a fetch to https://api.open-meteo.com and src/resources/(ui)/widget/pizza-map.ts loads scripts/styles from https://cdn.example.com), meaning the agent/widget runtime will ingest and display external, public third‑party content.