linkedin-content

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Quick Start in SKILL.md explicitly instructs running "belt app run tavily/search-assistant" to research "LinkedIn viral post examples 2024," which implies fetching public, user-generated social media/web content that the agent will read and use to shape post-writing decisions, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires and invokes the inference.sh CLI (https://inference.sh) via "belt app run ..." commands that, at runtime, call remote apps (e.g., tavily/search-assistant, falai/flux-dev-lora) which execute remote code and control prompt processing, so the inference.sh URL is a runtime dependency that can directly control agent behavior.