design-html

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required preamble and setup steps explicitly run git fetch/merge and gstack-brain-sync (pulling artifacts from a remote repo) and may invoke external installers (curl https://bun.sh/install) and/or include a CDN fallback import (https://esm.sh/@chenglou/pretext) — all public third‑party sources whose content the skill relies on and that can materially influence subsequent behavior (gbrain/artifact-driven context, build/serve steps, or generated HTML), creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a runtime CDN fallback that inlines "import ... from 'https://esm.sh/@chenglou/pretext'" into generated HTML when the vendored pretext.js is missing, which will fetch and execute remote JavaScript at preview time and is effectively a required dependency for correct operation when the vendor bundle is absent.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The skill does not request sudo or create user accounts, but it directs many filesystem and repo-changing actions (git add/commit/rm, writing files under ~/, running installers/package managers, starting servers, and telemetry writes), so it modifies the host state non‑privilegedly and could delete or alter project files.