web-access-claude-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md shows the CDP Proxy opening arbitrary public URLs (e.g., /new?url=https://news.ycombinator.com) and using /eval, WebFetch, and Jina to extract and act on DOM/text from open websites (including twitter.com and other public sites), meaning untrusted third‑party content is read and can directly drive clicks, uploads, tool selection, and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly directs runtime installation from and execution of code fetched from the GitHub repo https://github.com/eze-is/web-access (e.g., git clone ... then running node ~/.claude/skills/web-access/scripts/cdp-proxy.mjs), so remote content would be fetched and executed and is a required dependency.