moonbit-js-binding

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly includes fetching and parsing arbitrary web resources (e.g., SKILL.md Phase 4 and the example async test: extern "js" fn ffi_fetch_text(...) = #| (url) => fetch(url).then(r => r.text()) and the example async test that calls fetch_text("https://example.com")), and also shows JSON.parse/js_get_opt usage (assets/ffi.mbt), meaning untrusted third‑party content from public URLs is ingested and could influence runtime behavior.