build-landing-page

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — Step 0 "WEBSITE THEME EXTRACTION" requires fetching/scraping the user's provided public website (via WebFetch and downloading logo/hero images with curl) and uses extracted brand tokens (colors, fonts, contact info, reviews, images, business name, etc.) as authoritative inputs that directly drive code generation and behavior, so untrusted public site content can materially influence the agent.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches the user-supplied website at runtime (via WebFetch of the homepage and runtime curl commands like curl -L "[LOGO_URL]" and curl -L "[HERO_IMAGE_URL]") and uses the scraped HTML/assets to extract brand tokens that directly drive the agent's prompt-driven design and code generation, so the user-provided site URLs are runtime external dependencies that control the agent.