oma-scholar

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and parses public records from knows.academy (e.g., /api/proxy/sidecars and /api/proxy/partial shown in resources/api-endpoints.md and SKILL.md ACQUIRE/Mode 6 Remote) and falls back to OpenAlex (resources/fallback-providers.md), treating those remote, user-facing sidecars/abstracts as source material that the agent reads and acts on (generate/review/analyze), so untrusted third‑party content can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches runtime content from knows.academy (e.g., https://knows.academy/api/proxy/search, /sidecars/, /partial, /skill/knows.md) and from OpenAlex (https://api.openalex.org/...) and injects returned sidecars/abstracts into the agent's context to drive generation/validation, so these URLs can directly control prompts/agent behavior.