literature-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly mandates using the parallel-web skill (e.g., "parallel-cli search" with --include-domains and "parallel-cli extract 'https://arxiv.org/abs/XXXX.XXXXX' --json") and other public data sources (gget for PubMed/bioRxiv, Semantic Scholar, Google Scholar scraping) to fetch and read full texts/abstracts which are then screened and used to drive inclusion/exclusion, synthesis, and subsequent actions—clearly ingesting untrusted, public third‑party content that can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the OpenRouter API at runtime (https://openrouter.ai/api/v1) to generate images and return critique that is programmatically injected into and used to modify subsequent prompts, and it also lists a required install step that pipes a remote script into bash (curl -fsSL https://parallel.ai/install.sh | bash), which fetches and executes remote code — both meet the criteria for runtime external content that controls prompts or executes code.