lightpanda

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows fetching and scraping arbitrary public web pages (e.g., the "CLI Usage" fetch example, the "Playwright/Puppeteer Integration" page.goto calls, and the "Web Scraping Patterns -> Batch Page Fetching" example) so the agent is expected to ingest and act on untrusted third-party content that could contain instructions influencing its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill’s installation and build steps fetch and install remote executables required to run the skill—e.g. the release binaries downloaded via https://github.com/lightpanda-io/browser/releases/download/nightly/lightpanda-x86_64-linux and https://github.com/lightpanda-io/browser/releases/download/nightly/lightpanda-aarch64-macos, the source clone https://github.com/lightpanda-io/browser.git, and the Docker image lightpanda/browser:nightly—which will execute remote code when installed/launched, so they constitute external runtime-executed dependencies.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt includes explicit privileged operations (e.g., "sudo apt install ..." in the build instructions) and commands to run services/containers that modify system state and may require elevated privileges, so it does ask the agent/user to perform actions that can change the host system.