tabz-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads command strings from arbitrary web pages via the data-terminal-command HTML attribute (see SKILL.md and references/html-integration.md) and also accepts queued prompts/commands over WebSocket or spawn API from external sites (references/javascript-api.md and references/spawn-api.md), so untrusted third-party pages can supply commands that are interpreted and queued/executed, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime requests to the local TabzChrome backend (e.g., http://localhost:8129 and ws://localhost:8129) to POST /api/spawn and send QUEUE_COMMAND messages over WebSocket, which directly cause commands/prompts to be executed or queued in terminals, so these URLs are runtime endpoints that control execution.