iupac-to-smiles

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). Yes — the skill explicitly calls the public OPSIN API (https://opsin.ch.cam.ac.uk/) as shown in SKILL.md ("完全使用 OPSIN API") and in scripts/iupac_to_smiles.py (IUPACToSMILES.OPSIN_API and opsin_name_to_smiles), and it parses the API's returned JSON into SMILES that directly determine conversion results and downstream behavior, so untrusted third‑party responses can materially influence the agent's actions.