autoresearch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The required workflow explicitly asks the agent to define "Action step" examples including "scrape" and to specify "Data inputs: where does the agent read from?" (and even to clone the public repo github.com/karpathy/autoresearch) which indicates the agent is expected to fetch and read open/public third‑party web content that could contain untrusted/user‑generated instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs cloning the git repository github.com/karpathy/autoresearch as part of the runtime Technical Stack, meaning remote code would be fetched and likely executed/used to control the agent's loop and prompts (github.com/karpathy/autoresearch).