read-research-paper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and scrapes external papers and arbitrary URLs (see SKILL.md "Live fetch" / "Source detection" and the ingestion workflow: toolchains/fetch_paper.py, arXiv API / Crossref / WebFetch / PDF → prompts/parse-paper.md and prompts/extract-findings.md), and it parses that untrusted third‑party content to extract headline findings and plan visuals and downstream actions (e.g., --with-related dispatch to get-research-paper), so external content can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill performs live fetching of external papers at runtime (e.g., https://export.arxiv.org/api/query?id_list=&max_results=1 and related PDF/DOI URLs such as https://arxiv.org/pdf/ or https://doi.org/...), and those fetched documents are injected verbatim into the skill's LLM prompts (see prompts/parse-paper.md, prompts/extract-findings.md), so remote content can directly control the agent's prompt context.