cellxgene-census

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly instructs the agent to open and query the public CZ CELLxGENE Census (via cellxgene_census.open_soma(), get_obs(), get_anndata(), axis_query(), etc.) to read dataset metadata and expression matrices from public datasets (e.g., cell_type, tissue, disease), and that untrusted, user-contributed metadata is then used to decide queries and downstream analysis, so third-party content can influence actions.