weread

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls the external WeRead API at https://i.weread.qq.com/api/agent/gateway and routinely ingests user-generated content (e.g., /review/list, /book/bestbookmarks) as part of its workflow, and the SKILL.md's mandatory "通用规则" explicitly requires obeying an upgrade_info.message from API responses (i.e., third-party instructions that change agent behavior), which creates a clear indirect prompt-injection vector.