crawl4ai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts arbitrary public URLs via the crawl_url command (scripts/crawl_url.py) and fetches/combines webpage markdown in engine.py, then supplies the extracted skeleton/markdown from those third‑party pages into an LLM-based chunk planner (_generate_chunk_plan in scripts/crawl_url.py) whose output directly controls which sections are extracted and processed, so untrusted web content can indirectly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill crawls arbitrary external URLs at runtime (e.g., https://example.com in examples) and injects the retrieved content/skeleton into the LLM prompt to generate chunk plans, meaning fetched remote content can directly influence the agent's planning/instructions.