jerlin-weread-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CLI (scripts/weread.sh) posts to the public WeRead API (https://i.weread.qq.com/api/...) and ingests user-generated content such as reviews, bookmarks, read-reviews and underlines (see help_* outputs and references/notes.md), and SKILL.md explicitly instructs the agent to follow server-returned messages like upgrade_info—meaning untrusted third-party content is read and can change the agent's actions.