browse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required runtime workflow can fetch and ingest arbitrary public web content via browse open <url> / browse cloud fetch https://example.com (and potentially browse cloud search), which is outsider-authored free text that may be included in the agent’s LLM context through page reads/snapshots/markdown extraction.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CLI supports installing site-specific skills at runtime via the Browse.sh catalog (e.g., using "browse skills add" which fetches from https://browse.sh), and those installed skills become agent-available automation strategies that can include instruction logic or executable code—so remote content from https://browse.sh can directly control agent behavior at runtime.