citation-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses open public content (Google Scholar scraping, PubMed E-utilities, arXiv, CrossRef, DataCite and arbitrary URLs) as part of its required workflows and scripts (see Phase 1/Phase 2 and scripts like search_google_scholar.py and extract_metadata.py in SKILL.md), and that untrusted/user-submitted metadata is used to drive automated extraction, validation, deduplication and auto-fix decisions—exposing the agent to indirect prompt-injection risk.