clone-website

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly navigates to and scrapes arbitrary public target URLs using Chrome MCP (see "Phase 1: Reconnaissance — Navigate to the target URL with Chrome MCP" and the examples cloning linear.app and stripe.com), extracting text, computed CSS, assets and interaction behaviors that are then used to drive builder agents and specs—i.e., untrusted third‑party content is ingested and can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly navigates to and extracts runtime content from the target website (e.g., https://linear.app or https://stripe.com/pricing) using Chrome MCP and then inlines the extracted HTML/CSS/assets/text into component spec files that are fed to builder agents, meaning fetched external site content directly controls agent instructions at runtime.