before-and-after

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts arbitrary http/https URLs (used in before-and-after commands and capture.sh which calls agent-browser:open, plus the .vercel.app curl check) and captures/inspects page content/selectors for screenshots, so it clearly ingests untrusted public web content that could carry indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill tells the agent to install a global npm package (modifies the host environment and may require elevated privileges) and explicitly instructs using vercel inspect / obtaining a bypass token to circumvent .vercel.app protections, which encourages changing system state and bypassing security controls.