website-builder-pipeline

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt explicitly tells the agent to "Use the Plan Mode → Bypass Permissions workflow" (i.e., instructing it to bypass permission checks / overrides), which is an instruction to evade system-level controls and is outside the legitimate website-building scope — this constitutes a prompt-injection risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests arbitrary public web content — e.g., Phase 2 "Brand Extraction" calls Firecrawl on a user-provided URL (reads the page and writes brand.json) and the "Competitor scaffolding" flow fetches HTML via view-page-source.com/inspiration URLs — and those parsed pages directly feed the build prompts and decision logic, so untrusted third-party content can materially influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls external scraping endpoints at runtime—notably Firecrawl (e.g., https://api.firecrawl.dev/v1/scrape) to produce brand.json that is injected into build prompts, and it fetches competitor HTML via view-page-source.com for scaffolding/analysis—so these remote fetches directly control the agent's prompts and are required when those options are chosen.