surf-codebase

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill injects data from arbitrary web pages and network responses into the agent workflow (e.g., READ_PAGE in src/content/accessibility-tree.ts that generates an a11y tree from visited pages, CDP network/getResponseBody in src/cdp/controller.ts, and stored network captures in /tmp/surf/requests.jsonl) and the native host (native/host.cjs) integrates that data with AI clients, exposing the agent to untrusted third‑party content.