add-multiplayer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly connects to a PartyKit server and other peers and parses/acts on arbitrary JSON messages from remote clients (see src/multiplayer/MultiplayerClient.js onMessage handling and src/systems/NetworkManager.js _wireClient/_onState/_onWelcome), which are untrusted, user-generated third‑party inputs delivered over the open web and used to drive game logic and subsequent network/actions as required by the SKILL.md workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly runs tooling that fetches and executes remote packages at runtime (e.g., "npx partykit ..." and "npm install partysocket", which download/execute code from the npm registry such as registry.npmjs.org) so these runtime external dependencies can execute remote code on the host.