distill-to-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests external web content (SKILL.md Phase 2: "URLs: WebFetch"; Phase 3 and references/extraction-jobs.md instruct sub-agents "WebSearch" and "WebFetch") and requires the agent to read and act on that untrusted third‑party content to extract claims, copy patterns, triggers, and synthesis that determine downstream behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs WebSearch/WebFetch at runtime to retrieve arbitrary external URLs (e.g., any https://... target such as https://example.com/report) and injects those fetched source contents into extraction and synthesis sub-agents that directly shape prompts and the generated SKILL.md, so external web content fetched at runtime can directly control agent instructions.