flomo-web-crud

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and references/workflows.md and ui-locators.md) explicitly reads live memo content from the flomo Web page (https://v.flomoapp.com/mine) via chrome_read_page / chrome_get_web_content to build candidates and decide edits/deletes, so untrusted/user-generated memo text can influence the agent's subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README explicitly instructs installing and enabling the skill from a remote GitHub repo (https://github.com/Undertone0809/flomo-crud-skill) and recommends installing MCP tooling (e.g. hangwin/mcp-chrome via npx), which would fetch and execute remote code that directly supplies/controls the agent skill runtime behavior.