wjs-publishing-wechat

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). 在 Step 5.5/Step 6 运行链路中，discover-prev-elected.sh 会读取上篇 comments.md（其中包含外部用户留言内容）并把其中“精选”留言的 content/reply 等字段拼进 agent 生成的 <section>上篇精选留言</section>，从而把“非操作用户选择引入的第三方评论文本”喂入 LLM 上下文。

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires and instructs agents to fetch/install external code at runtime — notably the gpt-image-2-skill repo (https://github.com/Wangnov/gpt-image-2-skill) which is git-cloned and whose node wrapper is executed by gen-cover-ai.sh / gen-illustration.sh, and the install-by-URL pattern using GitHub blob URLs (e.g. https://github.com/jianshuo/claude-skills/blob/main/<SKILL_NAME>/SKILL.md) which is explicitly described as an agent runtime fetch that installs skill definitions; both are high-confidence runtime fetches of remote content that lead to execution or control of agent behavior.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

• Hidden Unicode characters detected (1 type(s) found)