case-study

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 brand-extraction flow (references/css-extraction.md, referenced in SKILL.md) explicitly instructs the agent to navigate to or web_fetch arbitrary user-provided website URLs and scrape HTML/CSS to build a brand config that is then applied to presentation generation, meaning untrusted third-party content is fetched, interpreted, and can materially influence subsequent actions.