vue-composition-api-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill includes runtime code that injects JSONP scripts from external suggestion endpoints (hooks/web/useSuggestion.ts — scriptEl.src = currentEngine.value.suggestionUrl(...)) and opens external search URLs (script-setup examples calling window.open with engineInfo.value.url), which clearly fetches and interprets untrusted third‑party web content that can alter behavior (search suggestions/navigation).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The documentation includes a runtime JSONP example that injects an external script via scriptEl.src = url (url comes from currentEngine.value.suggestionUrl(keyword, callbackName)), which will fetch and execute remote code at runtime and thus is a risky external dependency.