design-html

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill embeds numerous explicit system-level and side-effecting instructions (telemetry opt-ins/logging, creating or committing CLAUDE.md routing, auto-upgrade flows, git rm of vendored code, syncing brain artifacts, running installers) that go far beyond "generate HTML" and can modify user repos, configs, or enable data collection — behavior outside the stated design-html purpose and potentially harmful/undeclared.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and runs third-party code during its setup and build flows (curl https://bun.sh/install in the "SETUP" section) and embeds a CDN import fallback (https://esm.sh/@chenglou/pretext) in Step 3, so it will pull and execute public, untrusted web content that can materially change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime fetching/executing of remote code: it falls back to importing the Pretext JS module from the CDN URL (https://esm.sh/@chenglou/pretext) when a vendored pretext is missing — which will execute remote code inside the generated HTML — and the setup path can curl-and-run the bun installer (https://bun.sh/install), which downloads and executes a remote shell script; both are runtime remote-code dependencies that the skill can rely on.