fui-module-development

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code contains high-risk capabilities that can be abused: it executes arbitrary code from module JSON (EXE/templateCompiled), will send the bearer token ($awt) automatically in AJAX calls to any configured API URL (allowing exfiltration), and it accepts postMessage "LOGIN"/other commands without validating origin — together enabling remote code execution and credential/token injection/exfiltration if untrusted modules or messages are allowed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and ingests external, potentially untrusted content — e.g., ajaxCALL in scripts/defaultfunction.js (used by action objects' "API" fields and t-combobox's api) will POST to arbitrary absolute URLs (fixURL leaves http(s) URLs unchanged) and Loader.writeScript can load external scripts, and those responses/scripts are bound into vueData and rendered/executed in the UI.