validate-references

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly performs network requests to public third-party sources — resolving DOIs via the CrossRef API in validate_dois (https://api.crossref.org/works/...) and checking arbitrary URLs from .bib entries in validate_urls — and interprets those responses to mark entries as errors/warnings, so untrusted external content can influence its decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill calls install.packages(...) at runtime to fetch required R packages (RefManageR, httr2, curl) from CRAN (e.g., https://cran.r-project.org/), which downloads and executes remote code that the skill depends on.