addfox-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's content shows and requires content scripts that run on arbitrary web pages (e.g., manifest host_permissions/content_scripts with "<all_urls>" and the app/content/index.ts example that reads document.title and h1), and it instructs injecting/reading page DOM via defineShadowContentUI/defineContentUI — meaning the runtime workflow expects the agent/extension to ingest untrusted, user-generated page content that could influence behavior.