documentation-scraper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and scrapes public documentation sites (via the slurp CLI and analyze-sitemap.js which retrieves sitemaps and pages such as slurp <url> and node analyze-sitemap.js <base-url>) and then compiles that third-party content into compiled_docs.md intended for AI consumption, exposing the agent to untrusted external content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs at-runtime fetches of arbitrary documentation URLs (e.g., the repeated runtime command examples like "slurp https://docs.example.com/" and concrete examples such as "slurp https://expressjs.com/en/4x/api.html") and then compiles that external content into markdown "designed for AI context injection," meaning the fetched remote content directly controls the agent's prompt/context.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly instructs the agent to "Run Outside Sandbox" and set dangerouslyDisableSandbox: true for all shell commands, directing the agent to bypass sandbox/security controls and execute arbitrary network and file operations on the host (even though it doesn't demand sudo or direct system-file edits).