syncfusion-vue-pdf-viewer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill clearly loads and interacts with arbitrary external PDF content (e.g., documentPath and viewer.load() examples in references/basic-sample.md and references/api-methods.md) and reads/uses embedded data such as bookmarks and extracted text (references/bookmark-navigation.md, references/api-methods.md), so untrusted third‑party content can be ingested and influence viewer actions or generated code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs the viewer to load runtime resources (pdfium.js / pdfium.wasm) from the Syncfusion CDN (resourceUrl "https://cdn.syncfusion.com/ej2/dist/ej2-pdfviewer-lib"), which are remote executable assets fetched at runtime and required for the viewer to function, so this external URL represents a runtime dependency that executes remote code.