ux

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow references/workflows/style-synthesize.md explicitly opens an arbitrary live SOURCE_URL (via mcp__claude-in-chrome__navigate), captures page text (mcp__claude-in-chrome__get_page_text) and screenshots, and then synthesizes a style report and theme from that public site content — meaning untrusted third-party webpages can influence the agent's parsing and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The prototype/workflows invoke package-executors at runtime (e.g., "npx sv create ...", "pnpm dlx shadcn-svelte@latest init", "pnpm dlx shadcn-svelte@latest add ...") which fetch and execute code from the npm registry (https://registry.npmjs.org/) as required setup steps, so remote code is executed during skill runtime.