citation-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Google Scholar search results (including free-text fields like titles/abstracts) are fetched at runtime from an outsider source via scripts/search_google_scholar.py using the scholarly library, and those strings are then ingested into the agent’s LLM context when the agent uses the produced JSON/BibTeX for further reasoning.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The generate_schematic_ai.py script makes runtime API calls to OpenRouter at https://openrouter.ai/api/v1 (using an OPENROUTER_API_KEY) to both generate images and obtain Gemini 3.1 Pro review text, and that review text is then programmatically injected back to modify and control subsequent prompts/iterations, so the external URL directly controls agent instructions at runtime.