browser-extract

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime path explicitly ingests rendered web page content via the recorded browser-record session (steps browser_wait + browser_snapshot/browser_eval), which is outsider-authored free text from arbitrary URLs/pages into the agent’s LLM context (even though it is gated by AIDefence).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx -y @claude-flow/cli@latest at runtime to retrieve and store templates (e.g., "npx -y @claude-flow/cli@latest memory retrieve" / "memory store"), which fetches and executes remote npm package code that the skill relies on—constituting a runtime external dependency that executes remote code.