webperf-media

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's audit scripts (scripts/Image-Element-Audit.js and scripts/SVG-Embedded-Bitmap-Analysis.js) explicitly fetch page resource URLs (using fetch(...) on image/src and performance.getEntriesByType resource names) and parse fetched SVG/text, and SKILL.md requires the agent to read those results and run follow-up scripts/decisions based on them, meaning untrusted third‑party page resources are ingested and can materially influence subsequent tool actions.