affiliatematic

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md explicitly states the service/embedded script (https://affiliatematic.com/amazon-widget.iife.js) "AI analyzes page content (title, meta, text)" and uses that arbitrary webpage content to select and display affiliate products, meaning untrusted third-party page content is ingested and can materially influence the agent's decisions about which products/links to present.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs inclusion of the remote script https://affiliatematic.com/amazon-widget.iife.js which is fetched and executed in visitors' browsers and is required for the widget to function, so it is a runtime external dependency that executes remote code.