browser-use

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs the Agent to open and scrape public websites (e.g., the "Polymarket 集成" examples and code that visits https://polymarket.com/event/fed-decision-in-march-885), interpret that untrusted third‑party page content to extract data and even perform actions (trades), which clearly exposes the agent to user-generated/public web content that can influence decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes explicit, concrete examples and APIs for executing crypto-market transactions: the "Polymarket 集成" section contains an "执行交易" example that instructs the Agent to connect a wallet, navigate to a market, buy $0.60 of "No", and confirm the transaction. The documentation also shows storing/loading wallet-related sensitive_data (wallet_address) and an output schema with tx_hash. These are direct crypto/blockchain transaction actions (wallet connection, signing/executing trades), which meet the listed "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.