ui-capture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly opens arbitrary reference URLs (SKILL.md Phase 1: "agent-browser open ") and runs in-page evals/detection scripts on those untrusted third-party pages (see detection.md and capture-transitions.md), and the eval outputs (selectors, class names, attributes, regions.json) are consumed to decide capture actions and gating/autonomous behavior, so untrusted page content can materially influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly opens arbitrary reference URLs at runtime (e.g., https://playbook.ebay.com or any user-supplied ) and executes in-page evals/recordings with agent-browser, meaning remote page content and scripts are fetched and run in the recording context and can directly affect captured eval results — so this is a runtime external dependency that executes remote code.