browser-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL documentation (e.g., SKILL.md "Dogfood" workflow and the upstream references) explicitly instructs the agent to open arbitrary target URLs (examples: vercel.com, https://app.slack.com, example.com) and to snapshot/get text/screenshot/parse pages—i.e., it fetches and ingests untrusted public web content and then uses that content to drive actions like clicks/fills/navigation, which can enable indirect prompt injection.