web-access

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to fetch and interact with public websites and social media (see "触发场景" and "浏览器 CDP 模式" with commands like agent-browser --cdp 9222 open <url>, snapshot, and eval) so untrusted, user-generated web content is read and acted on as part of the workflow, enabling indirect prompt injection.