skills/bluzir/claude-code-design/interactive-prototype/Snyk

interactive-prototype

Warn

Audited by Snyk on May 2, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill's Phase 0 auto-detection explicitly scans the brief for GitHub and Figma URLs and invokes "Skill: ingest-github" / "Skill: ingest-figma", meaning it will fetch and ingest untrusted public third-party content (GitHub/Figma) that can materially influence prototype decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The skill's generated HTML loads and executes remote JavaScript at runtime from unpkg (https://unpkg.com/react@18.3.1/..., https://unpkg.com/react-dom@18.3.1/..., https://unpkg.com/@babel/standalone@7.29.0/babel.min.js), which are required dependencies for the prototype and therefore execute remote code in the runtime environment.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

May 2, 2026, 02:20 PM

Issues

2