nano-world-model

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly directs the runtime to download and load external model/checkpoint files from public third-party locations (e.g., hf_hub_download from HuggingFace and a Dropbox I3D model URL) which are untrusted user-uploaded content and are consumed by the workflow (checkpoint_path used to load models and influence rollouts/planning), so third-party content can materially alter agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README explicitly instructs to git clone https://github.com/simchowitzlabpublic/nano-world-model.git and then run python src/main.py, so remote code from that URL is fetched and executed as a required dependency at runtime.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy literal values that could grant access. I found a Dropbox download URL used twice:

"https://www.dropbox.com/scl/fi/c5nfs6c422nlpj880jbmh/i3d_torchscript.pt?rlkey=x5xcjsrz0818i4qxyoglp5bb8&dl=1"

The rlkey value "x5xcjsrz0818i4qxyoglp5bb8" is a high-entropy token embedded in the share URL and likely usable to access the file, so it qualifies as a secret by the definition ("provides access to a service"). No private keys, API keys (sk-...), or other high-entropy credentials are present. Other items (HF repo IDs, env var names like DATASET_DIR, example checkpoint paths, and generic examples) are documentation values/placeholders and not flagged.