research-subagent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly requires fetching and rendering open web content (using web_search → web_fetch and Playwright MCP via mcp__playwright__navigate and mcp__playwright__snapshot) from public sites (including news sites, social platforms, SPAs, and arbitrary URLs) and instructs the agent to read and act on that content as part of its research loop, creating clear exposure to untrusted third-party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches arbitrary external URLs at runtime via web_fetch and mcp__playwright__navigate (i.e., any external URL visited by those calls), and the Playwright step explicitly executes remote JavaScript so fetched content can run code and influence the agent's outputs.