planning-wcag-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and page-selection guide (SKILL.md and references/page-selection-guide.md) explicitly instruct the agent to fetch and crawl public websites (e.g., curl https://example.com/sitemap.xml and Playwright link collection examples) and to ingest those URLs/content as part of page selection, meaning untrusted third-party web content can be read and influence subsequent sampling and planning decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly includes runtime commands to fetch a site's sitemap (e.g., "curl -s https://example.com/sitemap.xml | grep -oP '(?<=)[^<]+'") and describes Playwright crawling to collect links, so external site content fetched at runtime would directly control the agent's page-selection prompts and behavior.