autobrowse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's inner agent (scripts/evaluate.mjs and the defined execute tool/system prompt) explicitly runs "browse open " against URLs provided in tasks//task.md (and via free-form /autobrowse inputs), then reads snapshots and page text (browse snapshot / browse get text) and uses that content to decide clicks/fills and produce outputs (see SKILL.md, evaluate.mjs, and the SF-311 example), so it clearly ingests and acts on untrusted public web content.