literature-review-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly performs Phase 1 web searches (SKILL.md "Phase 1 — Parallel Candidate Discovery" — "use your host's web search tool" and optional Exa backend) and Phase 2 Semantic Scholar API queries (SKILL.md and references/s2-api-cookbook.md), ingests titles/snippets/abstracts from those public, user/third‑party sources, and then uses that fetched content (the collected_papers passed into references/prompt.md) to drive citation verification and to generate the Introduction/Related Work, so untrusted external content is read and can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill performs runtime calls to the Semantic Scholar Graph API (GET https://api.semanticscholar.org/graph/v1/paper/search?query=...&fields=...) and the returned paper metadata is directly injected into the LLM prompt as the "collected_papers" used to drive the writing/verifying steps, so this external URL controls agent prompts at runtime.