actionbook

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to open arbitrary external URLs (e.g., actionbook browser open ""), take snapshots, and run commands like actionbook browser text/html/snapshot and browser eval to read and act on live public web pages (examples: GitHub notifications, Airbnb, Twitter/X flows), meaning it ingests untrusted third‑party user-generated content and uses that content to drive selector choices and subsequent automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill issues runtime commands like actionbook search/get which rely on the remote Actionbook API (default api.base_url https://api.actionbook.dev) to fetch Action Manuals that directly supply selectors and step-by-step instructions used to drive the agent's actions, making that URL a required external runtime dependency that controls agent behavior.