subkeyword-injector

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to use a Browser MCP or the agent-browser CLI to open arbitrary page URLs and snapshot/extract headings and sections from public webpages, which the agent then reads and uses to decide and apply content edits.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly fetches the user-supplied page via the agent-browser command (agent-browser open ) at runtime and injects that page's content into the agent context to drive edit instructions, so the external page URL directly controls prompts and is a required dependency.