literature-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests open/public third‑party content as part of its core workflow (see SKILL.md Phase 2 "Multi-Database Search" which uses gget to search PubMed/bioRxiv, direct arXiv and Semantic Scholar APIs and even Google Scholar scraping, and scripts like scripts/search_databases.py that aggregate/export combined_results.json and scripts/verify_citations.py that query CrossRef), and that external, often user-generated/unreviewed content (preprints, web pages) is read and used to drive screening, synthesis, and citation verification—so untrusted third‑party content can materially influence agent decisions.