bdg

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the bdg CLI to open arbitrary URLs (e.g., "bdg ") and use CDP/DOM commands (e.g., Runtime.evaluate, document.querySelectorAll, dom fill/click/submit) to read and act on page content from the open web, meaning untrusted third‑party pages can be ingested and directly influence subsequent automated actions.