WeChat Publish Pipeline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly scrapes open/public sources (Step 0: Hacker News, GitHub Trending, optionally Twitter/X) and then uses baoyu-url-to-markdown in Step 1 to fetch and ingest arbitrary public webpages as inputs the agent reads and acts on (writing, prompt generation, publishing), therefore exposing it to untrusted third‑party content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs baoyu-url-to-markdown at runtime to fetch arbitrary external pages (--url "{source_url}", e.g. https://news.ycombinator.com/best or https://github.com/trending), and the fetched page content is injected into the agent workflow as source material that directly shapes prompts/output, meeting the criteria for a runtime external dependency that controls agent instructions.