agent-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly drives a real browser against arbitrary external URLs (see SKILL.md core workflow "agent-browser open ") and the templates (e.g., templates/capture-workflow.sh and form-automation.sh) show snapshot/get text and interaction commands that ingest and act on page content, meaning untrusted public web pages can be read and materially influence subsequent agent actions.