browser-cloud

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill authorizes the agent to visit and scrape arbitrary public websites (e.g., client.scrape / page.goto calls in SKILL.md and examples like examples/scrape-agent.ts and examples/langchain-browser-tool.ts, plus the browse_url OpenAI function in references/integrations/openai-functions.md), ingesting untrusted user-generated/open-web content that the agent then reads and uses to drive tool calls and subsequent decisions—enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill exposes runtime browsing/scrape tools that fetch arbitrary external webpages (e.g., client.scrape / the browse_url tool used against URLs like https://testmuai.com or any user-supplied URL), and those fetched contents are injected into the agent/LLM message context—allowing remote content to directly influence prompts (prompt‑injection) at runtime.