ui-test

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and examples explicitly instruct the agent to "browse open" arbitrary deployed/staging URLs (e.g., "Remote Mode / browse open https://staging.your-app.com --cdp" and Workflow B "Exploratory — open the app and try to break it") and even load third‑party scripts (axe-core from cdnjs), so the agent will fetch and interpret untrusted public web content that can materially influence test actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly injects and loads the axe-core script at runtime from https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.10.2/axe.min.js (via browse eval), which executes remote code inside the tested page and is relied on for deterministic accessibility audits, so this is a runtime external dependency that can execute code.