consensus

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md mandates using the external consensus CLI to fetch and ingest paper metadata and "takeaway" text from Consensus.app (and to query CrossRef via api.crossref.org for DOI resolution), and that third-party content is read and used to star/filter results and drive follow-up actions, so untrusted web content can materially influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill issues a runtime curl to the CrossRef API (https://api.crossref.org/works/) to fetch metadata that is then used to resolve journal names and directly determine presentation/quality flags, so this external URL is fetched at runtime and controls the agent's output.