web-access

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and reads arbitrary public web pages (including social media like 小红书/微博/X) as part of its required workflow—see SKILL.md ("何时使用", "能力" and examples) and the CDP proxy API in scripts/cdp-proxy.mjs which expose /new?url, /navigate, /eval, /click, /screenshot endpoints that ingest and let the agent interpret third‑party page content to decide next actions.