competitor-teardown

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and scrape public websites and user-generated content (e.g., "belt app run infsh/agent-browser" to screenshot competitor.com, "belt app run tavily/extract" on pricing pages, and search-assistant queries targeting G2, Capterra, and Reddit), so untrusted third-party content is ingested and can influence analysis and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires and calls inference.sh (https://inference.sh) apps (e.g., infsh/python-executor and agent-browser) at runtime, which execute provided code and fetch external pages that can be injected into the agent context, so the external service directly enables remote code execution and prompt control.