omnitag-recommendation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and converts arbitrary public URLs (scripts/url_to_markdown.py calls the Jina Reader r.jina.ai/ endpoint and posts to https://markdown.new/, and SKILL.md/README also mention extracting WeChat articles) and then feeds that extracted, untrusted third‑party content into the LLM-driven tagging workflow (including possibly triggering update_tags.py), so external page content can materially influence the agent's decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). At runtime the skill's scripts call external services (POST to https://markdown.new/ and GET from https://r.jina.ai/{url}) to fetch page markdown which is then injected into the model prompt/context, meaning fetched remote content can directly control prompts.