bibi

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly accepts and fetches public, user-generated media (YouTube, Bilibili, Twitter/X, TikTok, podcasts, etc.) as runtime inputs (see SKILL.md description and references/supported-platforms.md) and its workflows call the OpenAPI endpoints (e.g., GET /v1/summarize, /v1/getSubtitle in references/api.md and workflows/quick-summary.md, transcript-extract.md, research-compile.md) where the agent ingests transcripts/subtitles and uses that content as context to generate summaries, syntheses, and follow-up actions—therefore untrusted third-party content is read and can materially influence agent outputs and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagging https://bibigpt.co/api/mcp (and the related https://bibigpt.co/api/cli-manifest.json) because the skill explicitly instructs MCP clients and the CLI dispatcher to fetch these URLs at runtime to obtain the live tool/command manifest—which directly controls available agent procedures and can therefore alter the agent's instructions/behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a "Payment fallback (China)" flow that can emit HTTP 402 with a Payment-Needed header and states the agent "can resolve this automatically by installing @alipay/agent-payment" (a specific Alipay payment library) or direct the user to a one-off QR purchase. This references a concrete payment gateway integration (Alipay) and an explicit library to perform payments, which is direct financial execution capability.