design-extractor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's automatic mode (SKILL.md) and scripts/extract.js explicitly accept an arbitrary target URL and use Playwright (page.goto(url) + multiple page.evaluate DOM/styleSheet queries) to load and extract CSS, HTML components, keyframes and screenshots from public websites, ingesting untrusted third‑party content which is then used to generate design-system files that drive subsequent agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Playwright extract script loads a user-supplied target website at runtime (e.g. https://aptosnetwork.com) via page.goto(...), executing the site's remote JS and harvesting its CSS/HTML into files that the agent then uses as input, so the external URL both executes code in the runtime browser context and directly controls the content the agent relies on.