matrix-mate-offline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly uses browser automation to open and capture ITA Matrix public pages (matrix.itasoftware.com) and then sends those itinerary URLs into the local parse tool via parse_matrix_link (see SKILL.md, references/browser-search.md, and scripts/runtime/client.mjs), so the agent ingests untrusted public web content that can materially influence parsing results and downstream decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The MCP client issues runtime HTTP requests to the Matrix Mate base URL (default http://127.0.0.1:3000 but overrideable via MATRIX_MATE_BASE_URL — e.g. a hosted endpoint like https://matrixmate.desk.travel/), and the JSON responses from that URL are embedded into prompt messages (e.g., traveler-safe-audit-brief) so a remote/overrideable endpoint can directly control agent prompts.