web-article-extractor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows in SKILL.md and README explicitly navigate to and execute extraction on arbitrary public URLs (e.g., navigate({ tabId, url: targetUrl }), extractWeChatArticle('https://mp.weixin.qq.com/...'), and loading Readability from a CDN), so it fetches and parses untrusted third‑party webpage content which is then read/interpreted and used to drive actions like conversion, analysis, and image downloads—enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill injects and executes a remote script at runtime via: https://cdn.jsdelivr.net/npm/@mozilla/readability@0.6.0/Readability-readerable.min.js (loaded into the page with document.head.appendChild(script)), which fetches and runs external code relied on for extraction — presenting a clear runtime remote-code execution dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). Flagged because the skill explicitly instructs altering browser startup parameters and runtime environment to disable web security and hide automation (e.g. --disable-web-security, removing webdriver flags), which is a deliberate bypass of security protections and modifies the agent's execution environment.