clone-page

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and scrapes arbitrary public URLs via Playwright (scripts/clone.mjs → openPage in scripts/lib/browser.mjs), executes injected page scripts (scripts/inject/.js) to extract DOM, styles and assets, and consumes those untrusted page-derived files (skeleton.json, styles.json, theme.json, assets) as core inputs for its reconstruction workflow (SKILL.md and scripts/lib/), so third-party page content can directly influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill auto-installs Playwright at runtime via npm/npx (execSync "npm install playwright" and "npx playwright install chromium"), which fetches and executes remote code and may use the fallback download host https://npmmirror.com/mirrors/playwright, and Playwright is required for the skill to run—so this is a runtime external dependency that can execute remote code.