open-source

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill documentation shows the agent will navigate to and scrape arbitrary public webpages (e.g., page.goto and page.extract_content in references/actor.md, and navigate/search/extract tools and Agent task examples in references/agent.md), and those LLM-driven page-extraction and tool-decision flows explicitly read and act on untrusted third-party content, so page content could influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quickstart "Production with @sandbox" includes a runtime command that fetches and executes remote shell code—curl -fsSL https://browser-use.com/profile.sh | sh—which directly executes external code and is used to obtain a required profile_id.