browser-trace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly attaches to arbitrary CDP targets and records third-party page content—start-capture.mjs runs "browse cdp" to write cdp/raw.ndjson and snapshot-loop.mjs runs "browse get html body --cdp" to write dom/.html (examples even show open https://news.ycombinator.com), and the bisect/query scripts expect the agent to read and act on those captured HTML/console/network events as part of its workflow, so untrusted web content can influence subsequent analysis/actions.