research-protocol

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required workflow uses web-search and then web-fetch on URLs found at runtime, which ingests outsider-authored public web page text into the agent’s LLM context as Markdown.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires calling web-fetch on arbitrary external URLs (e.g., raw content such as https://raw.githubusercontent.com/...) at runtime and mandates that fetched content be added as evidence and cited before answering, so remote content directly controls agent outputs.