ljg-plain

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's execution step 1 explicitly requires fetching content from URLs via "WebFetch" and WebSearch (SKILL.md "执行 → 1. 获取内容: URL → WebFetch | ... | 书名/论文名 → WebSearch"), so untrusted public web content would be ingested and used to drive the agent's rewriting and file-generation workflow, enabling indirect prompt injection.