ljg-read

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly requires fetching content from URLs ("0. 接收文本
• URL -> WebFetch or markdown-proxy") and the agent then reads and interprets that third-party web/PDF content to drive translations, annotations, questions, and next actions, so untrusted public content could materially influence behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches user-provided URLs at runtime ("URL -> WebFetch 或 markdown-proxy 获取内容"), and the fetched content is injected into the agent's context and directly drives its prompts/outputs (i.e., user-provided URLs via WebFetch/markdown-proxy), so this is a runtime external dependency that can control the agent.