design-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly visits and scrapes arbitrary external sites via the browse tool (e.g., Phase 3: Page-by-Page Visual Audit using $B goto and $B js to extract fonts/colors/screenshots) and also calls WebSearch during Test Framework Bootstrap (Phase B2) and Codex web_search_cached in Design Outside Voices—the agent is required to read and act on that untrusted, public third-party content to choose fixes and tooling, so it can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step conditionally downloads and runs a shell installer at runtime using curl -fsSL "https://bun.sh/install" and then executes it (bash "$tmpfile"), which is remote code fetched during skill runtime and executed as a required dependency for the browse/setup flow, so it directly enables remote code execution (https://bun.sh/install).