Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The skill parses XML directly with xml.etree.ElementTree via ET.parse() and ET.fromstring() while presenting it as a general-purpose reader for external construction-system files, but it provides no warning or hardening guidance for untrusted XML. In real usage, this can lead consumers to process attacker-supplied XML without considering parser abuse risks such as denial of service from oversized or maliciously structured XML, making the omission security-relevant rather than purely documentation-related.
