browser-form-fill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The skill can ingest outsider-authored free text when it uses the snapshot path: it calls browser_snapshot, walks the page’s accessibility tree, and matches input labels/accessible names (which come from the visited web page content) into the field map keys, thereby feeding that page-derived text into the agent’s LLM context for selector resolution.