skills/jamditis/claude-skills-journalism/zero-build-frontend/Snyk

zero-build-frontend

Warn

Audited by Snyk on May 11, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and parses public, user-provided Google Sheets CSV (SHEET_URL in "Google Sheets as database") and uses those rows (via loadFromSheets/fetchWithCache and MapApp.loadData) to drive app behavior such as map markers and popup links, so untrusted third‑party content is ingested and can materially affect the app's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The skill uses runtime ES module imports from esm.sh (e.g., https://esm.sh/react@18.2.0 and https://esm.sh/react-dom@18.2.0/client) which are fetched and executed in the browser as required dependencies, so external code is executed at runtime.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

May 11, 2026, 01:24 AM

Issues

2