design-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly navigates to and inspects arbitrary target URLs and web pages (see "Parse the user's request" / "Target URL" and Phase 2/Phase 3 where $B goto, $B js, and screenshot commands extract fonts, colors, and page content) and also uses WebSearch — it therefore ingests untrusted public web content which the agent reads and acts on to decide fixes and make code commits.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step conditionally downloads and executes the bun installer at runtime via curl -fsSL "https://bun.sh/install" and then runs bash on the fetched script to install a required dependency for the browse binary, which clearly fetches and executes remote code during skill runtime.