deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and helper scripts (scripts/browser-extract.sh and scripts/gemini-research.sh) explicitly instruct the agent to use WebSearch/WebFetch, a chromux browser-explorer, and the Gemini CLI to fetch and extract live content from public sites (including community forums like Reddit/GitHub discussions) and then read and synthesize those findings into decisions and follow-up actions, which clearly exposes the agent to untrusted third-party content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill launches browser-explorer agents and runs scripts/browser-extract.sh which call chromux open on arbitrary target URLs at runtime (i.e., the argument passed to chromux open or scripts/browser-extract.sh such as "http(s)://<target‑url>"), and the extracted page content is written into agent files and fed into the model context — meaning externally-fetched page content can directly influence prompts/output.