browse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates and reads live web pages with browser tools (e.g., mcp__claude-in-chrome__navigate and mcp__claude-in-chrome__read_page) and its Phase 3 flow allows a user-provided URL when no dev URL is detected ("AskUserQuestion: 'Enter a URL'"), and the persona session docs also direct the agent to inspect external dependencies (references/demo-presenter-session.md: "Does any screen load data from a third-party API"), so it will ingest untrusted/public third-party content that can influence its actions.