jsapi-filters

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and processes MessagePort messages from embedded Domo iframes (see "Initialize the JS API Listener" and the handleRpcMethod / handleAppData / handleDrill examples in SKILL.md), and uses that untrusted iframe-provided appData and drill/filter events to drive actions like applyFiltersToEmbed and router.push, so third-party embed content can materially influence behavior.