build-mcp-app

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the server/widget to fetch and inline arbitrary external URLs (see the toDataUrl external image fetch in references/iframe-sandbox.md) and documents using app.callServerTool/app.openLink to retrieve or surface third‑party content which is then piped into tool results and model context (ontoolresult/updateModelContext/sendMessage), so untrusted public content can be read by the agent and influence its actions.