svg-brand-tint-ops
Warn
Audited by Snyk on Jul 4, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). The skill ingests outsider-authored free text when the operating user loads/pastes an SVG (e.g., via the “Load SVG · PNG · JPG” file picker or “Paste SVG code”), and that SVG markup is parsed and inserted into the DOM (
setSVG()→DOMParser().parseFromString(text, ...)→document.adoptNode(svg)), after which the app reads attributes likefill/strokeand renders/inspects them; this SVG text is not authored by the operating user.
Issues (1)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata