reviewing-lwc-mobile-offline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required runtime workflow runs scripts/run-komaci.sh which invokes the Komaci ESLint plugin with the bundleAnalyzer processor; that processor reads the component’s sibling HTML templates from the filesystem (user-provided LWC bundle), and those templates are outsider-authored free text relative to the agent (i.e., not bundled reference material).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The run-komaci.sh script runs "npm install" on first run to fetch the pinned packages (@salesforce/eslint-plugin-lwc-graph-analyzer and eslint) from the npm registry (https://registry.npmjs.org/), and those fetched packages are executed (ESLint + plugin) at runtime to produce the analyzer output, so this is a runtime external dependency that executes remote code.