readwise

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches full HTML and document content from Readwise (see SKILL.md and references/reader-api.md and scripts/readwise_to_nlm.py which call https://readwise.io/api/v3/list/ with withHtmlContent=true and the readwise-chat/readwise-search flows), meaning the agent ingests arbitrary user-saved / public web content from third parties that can be interpreted and used to drive searches, RAG chats, or notebook actions—allowing indirect prompt injection.