code-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly describes generating and executing web-crawling code and enabling network access (e.g., the "帮我写个爬虫抓取 xxx 网站的标题" workflow which runs requests+BeautifulSoup in the sandbox with --network=bridge), so the agent can fetch and ingest arbitrary public webpages that could contain untrusted, instruction-like content.