firecrawl-website-design-clone

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to fetch and scrape arbitrary user-supplied public websites using Firecrawl (see "Firecrawl Collection Plan" and the example firecrawl scrape "https://example.com" commands) and to read the returned branding output and screenshots as primary evidence to generate DESIGN.md and build instructions, which exposes the agent to untrusted third-party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs firecrawl scrape on an arbitrary external site (e.g., "https://example.com" in the examples) at runtime and ingests the fetched branding/screenshot/HTML as the primary source that directly drives the agent's prompt/context, so the external URL content can control agent instructions.