devex-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md repeatedly instructs the agent to "use the browse tool to navigate docs" and "browse can test web-accessible surfaces" (e.g., "Navigate to the docs/landing page via browse", "Use the browse tool to navigate docs, try the getting started flow"), meaning the agent will fetch and interpret arbitrary public web pages and playgrounds as part of its workflow and those pages could contain untrusted/user-generated content that influences actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). High-confidence: the skill's SETUP step conditionally runs a one-time installer that downloads and executes remote code from https://bun.sh/install (curl -fsSL "https://bun.sh/install" -o "$tmpfile" then bash "$tmpfile"), which is fetched at runtime and required to build the browse tool.