wjs-overlaying-video

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The skill ingests outsider-authored free text from the upstream segmentation hand-off SRT (clip_NN_slug.zh-CN.burn.srt), which is parsed and inlined as JSON into index.html inside <script id="captions-data" type="application/json">..., making it LLM-readable prose at runtime (via JSON.parse(...) and b.textContent = g.text).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The HTML templates include a runtime script tag loading GSAP from https://cdn.jsdelivr.net/npm/gsap@3.14.2/dist/gsap.min.js, which fetches and executes remote JavaScript that the composition relies on for rendering (i.e., a required runtime external dependency that executes remote code).