paper-summary

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL explicitly accepts and processes public arXiv links/IDs (see "Supported Inputs" and the example command in SKILL.md) and its Workflow/Evidence Grounding steps require the agent to read and act on the paper's content, so untrusted third‑party webpages/PDFs could carry indirect prompt-injection instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly accepts and uses arXiv links at runtime (e.g., https://arxiv.org/pdf/2304.13712 and the arXiv URLs listed in the smoke tests) to fetch paper content that is injected into the agent context and thus can directly control prompts, so this is a runtime external dependency that influences agent instructions.