visual-diff

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly loads arbitrary HTTP(S) standard and dev page URLs (Step 3 and Step 4) and injects/executes vet.js and screenshot scripts (e.g., window.VET_INFO in scripts/vet.js and screenshot-element.mjs) that extract DOM/text and drive downstream subagents, so untrusted third‑party webpages can be read and can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill launches a local static server via "npx --yes serve" when a Figma URL is used, which at runtime fetches and executes code from the npm registry (e.g. https://registry.npmjs.org), and the package-lock shows required packages (like sharp) resolved from https://registry.npmjs.org that the skill depends on—so remote code is fetched and executed during runtime.