ui-test

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly directs the agent and sub-agents to open and interact with arbitrary deployed/public URLs (e.g., "browse open https://staging.your-app.com --cdp", Workflow B exploratory testing and Workflow C parallel Browserbase runs) and even loads third‑party scripts (axe-core from a CDN), meaning untrusted webpage content will be fetched, inspected, and acted on as part of the testing workflow—allowing indirect prompt-injection via page content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly injects and executes axe-core from the CDN at runtime (s.src = 'https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.10.2/axe.min.js') via browse eval to perform deterministic accessibility checks, which is a runtime fetch that executes remote code and is relied upon by the skill's audit flows.