nsfc-qc

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's precheck and evidence-collection flow (scripts/nsfc_qc_precheck.py, specifically _resolve_reference_evidence and its _fetch_crossref/_fetch_arxiv/_fetch_unpaywall_pdf/_download_file calls) fetches metadata and PDFs from public sources and arbitrary bib URLs and then feeds the produced reference_evidence.jsonl to AI threads for citation truthfulness/semantic checks (SKILL.md and README explicitly require "元数据获取为必选项" and "引用证据包...供 AI 做语义判断"), so untrusted third-party content is fetched and directly informs agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's precheck explicitly performs runtime HTTP fetches (e.g. Crossref: https://api.crossref.org/works/, arXiv: http://export.arxiv.org/api/query, Unpaywall: https://api.unpaywall.org/v2/) and writes fetched metadata/PDF excerpts into reference_evidence.jsonl to be consumed by AI threads for semantic checks — i.e., external content is fetched at runtime, injected into the agent's evidence/prompt context, and metadata fetching is a required behavior of the skill.