ai-automation-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The workflow explicitly runs a search app (RESEARCH=$(belt app run tavily/search-assistant ...)) and then uses that returned content directly in a downstream prompt ("Write a 500-word blog post about $TOPIC based on: $RESEARCH"), which indicates the agent ingests untrusted public search/web content that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill depends on the inference.sh platform (https://inference.sh) at runtime — the belt CLI commands (e.g., belt app run ...) send prompts to and execute models on that external service, so remote content/control is required for the skill to operate.