afa-brand

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly performs automatic scraping of user-provided public URLs and social channels as part of its required workflows (e.g., "给我你的网站 URL → 自动抓取 + 分析流程" in the Core Workflow and the "Auto-Scrape Mode" in references/voice-building-sop.md and Mode E URL-based brand audit), so it ingests untrusted third‑party/user-generated web content which the agent is expected to read and use to drive analysis and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Auto-Scrape mode explicitly fetches and ingests arbitrary user-provided website content at runtime (e.g., {url}/about and {url}/blog), which is then used to drive analysis and generation—i.e., external content directly controls the agent's prompts/context.