qibook-company-wiki-deepresearch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime fetch_enterprise_data flow calls an external API at QIBOOK_BASE_URL (/skill/entData/support) as shown in scripts/base.py and scripts/data_service.py and SKILL.md explicitly instructs the agent to read result["data"] and use that content to generate and follow templates (result["template_content"]) for report generation, so untrusted third‑party data is ingested and directly shapes the agent's decisions and outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime requests to the external API endpoint at "{QIBOOK_BASE_URL}/skill/entData/support" (constructed from the QIBOOK_BASE_URL environment variable), and the JSON response includes a 'prompt' field that the code uses to determine the template/entity type and thus directly controls which instruction/template the agent follows, making this a required remote dependency that influences agent prompts.