extract

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and crawls arbitrary public origins (SKILL.md § Procedure Phase 1 — "Fetch /sitemap.xml" and BFS crawl) and then live-renders and ingests full page content (SKILL.md § Phase 2 — Playwright renders capturing full innerText, CTAs, media, fonts as described in reference/current-state-schema.md), and those captured, untrusted site contents are directly read/aggregated to produce PRODUCT.md, DESIGN.md, _brand-extraction.json, and brand-review.html which are used to drive downstream decisions—so third-party page content can materially influence agent behavior.