develop

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly instructs the agent to fetch and ingest Subframe designs and components from third-party MCP endpoints (e.g., get_page_info with URLs like https://app.subframe.com/PROJECT_ID/design/PAGE_ID/edit and get_component_info/list_pages), which are user-created/untrusted content that the agent must read and use to decide implementation steps.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches designs at runtime via get_page_info using URLs such as https://app.subframe.com/PROJECT_ID/design/PAGE_ID/edit (and suggests running npx @subframe/cli@latest to sync components), so remote content is pulled during execution and can directly control the agent's instructions or execute code.