browser-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and referenced workflows (e.g., the Dogfood workflow and upstream agent-browser docs) instruct the agent to open arbitrary target URLs and run commands like agent-browser open, snapshot -i, and get text to read and act on public web pages and app content (including Slack and other user-generated pages), so untrusted third‑party content is ingested and can drive subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime setup commands that fetch and execute remote packages (e.g., "npm install -g agent-browser" / "npx agent-browser install" and use of @vercel/sandbox), which will pull and run code from the npm registry (e.g. https://www.npmjs.com/package/agent-browser and https://www.npmjs.com/package/@vercel/sandbox), so there is clear runtime fetching/execution of external code the skill depends on.