linkedin-content

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The skill’s runtime workflow can fetch public web content via the example belt app run tavily/search-assistant (Tavily/web search results are outsider-authored text), which the agent then ingests into the LLM context to generate the LinkedIn post.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill explicitly requires and invokes the inference.sh CLI (https://inference.sh) via "belt app run" to execute remote apps (e.g., tavily/search-assistant, infsh/html-to-image, falai/flux-dev-lora) at runtime, which runs remote code and supplies prompts/instructions, so the URL is a runtime dependency that controls execution.