scholar-deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests open/public third‑party content (e.g., OpenAlex/arXiv/PubMed and optional open-web via search_exa.py / Brave MCP) during Phase 1 and then commands agents in Phase 3 to fetch and read full texts via extract_pdf.py (--doi / --url) as documented in SKILL.md and references/agent_prompts/phase3_deep_read.md, and those external pages/PDFs are parsed and used to drive selection, evidence extraction, citation-chasing, and report decisions—so untrusted web content can directly influence tool use and next actions.