browser-trace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly attaches a CDP client to arbitrary browser targets and records/reads third-party page content (raw CDP events, DOM dumps via "browse get html body" in scripts/snapshot-loop.mjs and start-capture.mjs, and examples in SKILL.md that call browse open https://...), and its bisect/query workflow (bisect-cdp.mjs, scripts/query.mjs and the SKILL.md text "feed structured per-page summaries back into an agent loop") ingests and acts on those untrusted page artifacts, so remote/user-generated web content can materially influence agent decisions.