agent-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to arbitrary external URLs and ingests page content (e.g., SKILL.md core workflow "agent-browser open " + "agent-browser snapshot -i" and templates/capture-workflow.sh which runs "agent-browser get text body" to extract page text), so it clearly fetches and reads untrusted public web content that can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's startup instruction defines agent-browser as agent-browser(){ nix run github:numtide/llm-agents.nix#agent-browser -- "$@"; } which will fetch and execute remote code from the git URL (github:numtide/llm-agents.nix#agent-browser) at runtime, so this external repository directly supplies executable logic the skill relies on.