clone-website

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly directs the agent to navigate to and scrape a user-supplied target URL via browser MCP (Phase 1: Reconnaissance, Asset Discovery Script, and many extraction steps) and to extract text, assets, and computed styles which are then used to generate spec files and drive builder agent actions, meaning arbitrary third-party page content can directly influence decisions and tool usage.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly navigates to and fetches the user-provided target URL ($ARGUMENTS) at runtime and uses the extracted site HTML/assets to build/specify component prompts that are inlined to builder agents, so any remote site URL supplied can directly control the agent prompts and behavior.