tapestry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly fetches and parses arbitrary public URLs (YouTube via yt-dlp/youtube-transcript, web articles via article-extractor/fallback curl+HTML parsing, and PDFs via curl/pdftotext) and then automatically uses that extracted, untrusted third-party content to create action plans, so webpage content can materially influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill downloads and ingests arbitrary user-supplied URLs (the runtime variable "$URL") via curl/yt-dlp/pdftotext and then injects the extracted content into the agent's planning workflow (read CONTENT_FILE → create Ship-Learn-Next plan), so remote content fetched at runtime can directly control the agent's prompts/behavior (flagging the user-provided URL: "$URL").