native-devtools-mcp-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's CDP and visual flows (e.g., cdp_navigate("https://example.com"), cdp_take_dom_snapshot(), cdp_find_elements(), take_screenshot()/find_text()) explicitly navigate to and ingest arbitrary public web pages and rendered content from third‑party sites (see the "CDP Flow Example" and other CDP/visual examples in SKILL.md), so untrusted web content can be read and influence subsequent automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires running remote code at runtime via npx (and documents the package/repo at https://www.npmjs.com/package/native-devtools-mcp and https://github.com/sh3ll3x3c/native-devtools-mcp), which fetches and executes external package/source code that the skill relies on to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill grants an agent broad, native control (input simulation, app launch, AX dispatch, CDP, ADB) and even shows automating System Settings and editing client config to auto-approve MCP servers — actions that modify system/privacy settings and weaken approval prompts, so it can compromise machine state and bypass user security controls.