reflex-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to open arbitrary URLs (e.g., "open " in references/commands.md and examples in SKILL.md) and to run and parse "summary --intent" / response.data.summary.targets[] as the primary selector/feed for subsequent actions, so it fetches and interprets untrusted public web content which can directly drive tool use and next actions.