authenticated-web-scraper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly connects to arbitrary authenticated websites via Edge CDP (see SKILL.md and scripts/scrape_site.mjs), uses Runtime.evaluate to read page DOM/HTML/text and extracts/follows links to drive crawling and next actions, so it ingests third‑party web content that can materially influence tool decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs the agent to run system commands from WSL that kill and relaunch Edge with remote-debugging flags, copy/install and execute Node scripts on the Windows host (modifying processes and filesystem and enabling remote debugging of a user profile), which are direct modifications of machine state and pose substantial security risk.