unbrowse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly navigates and captures arbitrary public sites (see SKILL.md's "resolve --url 'https://www.linkedin.com/feed/'" workflow) and the capture code (src/capture/index.ts) reads page HTML, JS bundles, network responses and cookies which are parsed/auto-extracted and used to discover/select/execute endpoints—meaning untrusted, user-generated third‑party content is ingested and can directly influence tool selection and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The auto-update worker (spawned at CLI startup) fetches the latest commit via https://api.github.com/repos/unbrowse-ai/unbrowse/commits/main and downloads/extracts https://github.com/unbrowse-ai/unbrowse/archive/main.tar.gz, then runs shell commands (tar/rsync and bun install), which clearly fetches and executes remote code at runtime.