web-automation-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill injects collect/inject scripts into arbitrary web pages (templates/inject.js.tpl used by recorder._injectDOMListeners and _collectDOMFromAllPages) and captures network responses (lib/network-monitor.js) from public sites, and SKILL.md plus the recorder/stop flow require the LLM to analyze those rawEvents/network bodies to generate workflows and decide actions, so untrusted third‑party page content can directly influence the agent's decisions and tool use.