fal-redesign

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts arbitrary http(s) targets for its "upgrade" and "iterate" commands (SKILL.md and runtime/bin/fal-site.mjs) and uses Puppeteer to screenshot those URLs (runtime/src/review.mjs screenshotHtml) and then feeds the resulting screenshots to vision LLM pipelines (runtime/src/mockup.mjs / runtime/src/implement.mjs), so untrusted public web pages can be ingested and directly influence model prompts and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The runtime calls the fal.run API (e.g. https://fal.run/openrouter/router and https://fal.run/fal-ai/gpt-image-2) and requires FAL_KEY; those remote model/image responses are fetched at runtime and directly drive the prompts, mockups, and generated HTML that control the agent's behavior, so this is a required external dependency that controls instructions.