computer-use

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to open arbitrary web pages in Safari (see the "Fill a Web Form" example where it types a URL and snapshots the page) and to snapshot/interact with Electron apps like Slack/Discord, so it ingests untrusted, user-generated third-party content whose contents can directly drive clicks/typing and thus influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs a runtime install command ("bun run ... shell '{"command":"npm","args":["install","-g","agent-click"]}'") which fetches and installs remote executable code (the agent-click package) and references the package repo https://github.com/kortix-ai/agent-click, so the skill relies on executing externally fetched code at runtime.