computer-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to drive a browser and read screenshots of web content (e.g., the act example "search for the weather in Shanghai using the Chrome browser, tell me the result") and also shows passing external image URLs into tap --locate (e.g., a GitHub asset URL), meaning the agent will fetch and interpret arbitrary third‑party web/page/image content as part of its synchronous screenshot-analyze-act workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx -y @midscene/computer@1 (fetching and executing the @midscene/computer package from the npm registry, e.g. https://www.npmjs.com/package/@midscene/computer) at runtime, which downloads and runs remote code and is a required dependency for the skill to operate.