scrape

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill embeds numerous side-effecting instructions (telemetry prompts/logging, config changes, file writes/touches, CLAUDE.md editing and git commits, auto-upgrade flows, artifact/brain syncs, and vendoring migration steps) that run on skill start or via prompts and are unrelated to the advertised read-only "scrape" purpose, so it contains deceptive/out-of-scope instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's prototype workflow (Step 4) explicitly tells the agent to navigate to user-supplied hosts/URLs and run $B goto / $B snapshot / $B html / $B links to pull page content (the user's intent "usually names a host or a URL; use it directly"), so the agent will fetch and interpret arbitrary public web pages — untrusted third‑party content that could carry indirect prompt-injection payloads.