browser-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md and accompanying rules (e.g., the Decision Tree and examples like agent-browser open "https://..." plus commands such as get text body, snapshot -i, and robots.txt fetching in rules/browser-scraping-ethics.md and the agent-browser-safety hook) explicitly require fetching and interpreting content from arbitrary public websites, so untrusted third‑party page content can influence navigation and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's safety hook explicitly fetches a site's robots.txt at runtime (e.g., https://docs.example.com/robots.txt) and uses its directives to block or allow crawling, so remote content directly controls whether the agent proceeds.