reflex-browser-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly navigates to arbitrary URLs via the "open" command (references/commands.md and examples in references/protocol.md) and exposes page content through "html/source", "summary", "selector_helper", and "eval" (references/commands.md, references/selectors.md), which the agent is instructed to read and use to choose selectors and drive actions, so untrusted web content could indirectly inject instructions into the agent's workflow.