ferris-search-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and references/tools-api.md explicitly instruct the agent to fetch and extract content from arbitrary public URLs (fetch_web_content) and domain-specific public sites such as GitHub, CSDN, Juejin, Zhihu, and linux.do, and require the agent to read and incorporate that untrusted third-party content into answers and tool use, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). This skill exposes runtime fetchers (e.g., fetch_web_content and fetch_github_readme) that retrieve and inject external page content such as https://github.com/tokio-rs/tokio and https://doc.rust-lang.org/book/ into the agent's context, meaning remote content can directly control prompts/instructions.