clone-website

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly instructs the agent to open and scrape arbitrary target URLs using agent-browser (e.g., "agent-browser open [TARGET_URL]", document.documentElement.outerHTML, asset-discovery and getComputedStyle eval scripts in Phase 1), so the agent ingests untrusted third-party web content and uses that data to drive extraction, build decisions, and dispatched builder actions.