e2e-agent-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and included runner templates explicitly instruct the agent to open arbitrary web URLs (e.g., "agent-browser open https://example.com" and helpers.open / agent-browser open in templates), take snapshots and JSON output, read page text/title and eval JS, and then use those results (refs/text) to click/fill/wait, which means it fetches and interprets untrusted public web content that can materially drive subsequent actions.