Parser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and scrapes arbitrary public URLs (e.g., Workflows/BatchEntityExtractionGemini3.md shows WebFetch/curl/Bright Data and the web UI accepts arbitrary URLs) and feeds that untrusted, user-generated third‑party content into Gemini prompts (prompts/entity-extraction.md) whose outputs drive collision detection, GUID assignment, routing, and other tool actions—creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The batch workflow fetches arbitrary remote webpages at runtime (e.g., the script uses curl -s "$url" to retrieve URLs like https://example.com/article-1) and concatenates that fetched content directly into the Gemini extraction prompt, which can allow remote content to control model input (prompt-injection) and thus is a runtime external dependency that directly influences agent prompts.