design-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly browses and ingests arbitrary live sites (e.g., Phase 3 "Page-by-Page Visual Audit" uses $B goto , $B js, $B perf and Phase 2 "Design System Extraction" runs $B js to read DOM styles), so it reads untrusted third‑party page content and uses those observations to drive fixes and commits.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step conditionally downloads and executes the Bun install script at https://bun.sh/install (curl -fsSL "..."/tmpfile then bash "$tmpfile") at runtime to satisfy a required dependency for building the browse tool, which is a remote script execution risk.