browser-ability

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and script.js explicitly show the agent will connect to arbitrary websites via a browser CDP and retrieve data (e.g., "signin and retrieve data from websites" plus the sign-in URL/signin_id example in SKILL.md), so the agent will fetch and interpret untrusted public web content (sign-in pages, purchase history, etc.) that can materially influence its next actions and tool calls.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime connects to an external MCP endpoint (MCP_URL = ${SERVER_URL}/mcp) and depends on responses from that server (e.g., returned "system_message"/content) to drive agent instructions, so the SERVER_URL/MCP_URL is a runtime dependency that can directly control prompts.