browser-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to open and extract content from arbitrary public web pages (e.g., agent-browser open "$url", agent-browser get text @e#, and eval examples shown in SKILL.md and rules/browser-snapshot-workflow.md and browser-rate-limiting.md), and that extracted untrusted third-party content is then inspected and used to drive actions (extraction, navigation, retries/backoff, form fills), which could enable indirect prompt injection.