skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the workflows (e.g., workflows/explore.md and workflows/new.md) and agents (notably agents/skill-researcher.md and the agentskill.sh scan in references/search-guide.md) explicitly WebFetch public URLs (agentskill.sh, raw.githubusercontent.com and other user-provided RESOURCE_URLs) and require the agent to read and synthesize those untrusted, user-provided web resources into plans that directly drive subsequent tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The explore/research agents perform WebFetch at runtime to read external resources (notably raw GitHub raw URLs like https://raw.githubusercontent.com///main/SKILL.md and agentskill.sh pages like https://agentskill.sh/...), and that fetched content is injected into agent prompts/context to drive planning and outputs, so these URLs can directly control agent instructions.