deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (Phase 1 and Phase 2) explicitly instructs the agent to run web searches (search, search_web), scrape and read arbitrary public URLs (scrape, read_url_content, crawl), screenshot pages with browser_subagent, and pull GitHub contents (get_file_contents) as core steps, meaning untrusted, user-generated third‑party content from the open web would be read and used to drive analysis and recommendations.