core-actionbook

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow (search_actions and get_action_by_id) clearly returns URL-based action IDs, content previews, full page details and DOM selectors derived from public websites (e.g., "www.airbnb.com/search"), meaning the agent ingests and acts on untrusted third‑party web content that can directly influence automated actions.