pretext

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly imports and fetches code and font binaries from public CDNs (e.g., the "CDN Imports" section with https://esm.sh/@chenglou/pretext@0.0.2 and scripts fetching/using https://cdn.jsdelivr.net/... and FONT_URL via fetch in references and templates like assets/templates/glyph-morph.html), so untrusted third‑party resources are downloaded, parsed/executed (opentype.parse, imported modules) and therefore can directly influence layout/rendering and runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill loads and executes remote JavaScript at runtime (required for functionality) from CDN URLs such as https://esm.sh/@chenglou/pretext@0.0.2, https://cdn.jsdelivr.net/npm/opentype.js@1.3.4/dist/opentype.min.js, and https://cdn.jsdelivr.net/npm/flubber@0.4.2/build/flubber.min.js (and it fetches font binaries like https://cdn.jsdelivr.net/npm/@fontsource/inter@5.0.8/files/inter-latin-400-normal.woff), which satisfy the conditions for a runtime-executed external dependency and therefore pose a supply-chain/execution risk.