literature

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third‑party content (e.g., SKILL.md Phase 2 "Parallel search" and the agent templates calling Google Scholar, Semantic Scholar, arXiv/OpenAlex/web searches, plus references/perplexity-grounding.md calling Perplexity) and the orchestrator is required to read/interpret those results to rank, verify, select, download, and synthesize papers, so untrusted web content can materially influence tool use and next actions.