IDX CMA Report

The skill is classified as suspicious due to critical vulnerabilities in `scripts/build_cma.py`. Specifically, the `_build_interactive_html` function directly embeds user-controlled JSON data into a `<script>` tag in the generated `interactive_local.html` without proper HTML escaping, leading to a Cross-Site Scripting (XSS) vulnerability. A malicious user could inject arbitrary JavaScript via fields like 'address' in the input JSON. Additionally, there's a potential arbitrary file write vulnerability if the AI agent can be prompted to modify the `--output-dir` argument of the `build_cma.py` script to a sensitive system path, allowing files to be written to unauthorized locations.