browserman

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (Step 2B) explicitly instructs the agent to run low-level commands like browserman page open --url ... and browserman page read --json, which causes the agent to fetch and interpret arbitrary third-party webpages whose untrusted content could alter subsequent clicks/typing/actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes BrowserMan commands at runtime which contact the configured BrowserMan server (the serverUrl stored in ~/.browserman/config.json, e.g. https:///) to list and fetch site-optimized scripts that are then executed against the user's browser, so the serverUrl endpoint is a runtime external dependency that can deliver and run remote code.