Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- This is a real issue. The tool renders attacker-controlled Markdown/HTML with `page.setContent(..., { waitUntil: 'networkidle' })`, so `<img>`, remote CSS, or other fetch-capable elements embedded in the Markdown can cause outbound network requests during rendering. In an agent context, this can leak that a file was processed, expose the runner's IP/environment to third parties, and potentially enable SSRF-style access to internal services reachable from the host browser context.
