safe-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The template runtime (templates/claude-agent-sdk/hn-scraper-demo.mjs and the SKILL.md demo flow) explicitly browses and scrapes user-generated content from the public site https://news.ycombinator.com (front page and comments via page.$$eval) and uses those scraped values to decide subsequent safe_browser actions (which comments page to visit and which external URL to attempt), so untrusted third‑party content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs running npm install and imports/executes the @anthropic-ai/claude-agent-sdk package (fetched from https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk/-/claude-agent-sdk-0.2.123.tgz per package-lock.json), which is a runtime-installed external package whose code is executed to drive agent queries/prompts, so it meets the criteria for a risky runtime external dependency.