read

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and references/read-methods.md, plus scripts like scripts/fetch.sh and scripts/fetch_weixin.py) explicitly fetches and converts arbitrary public URLs and social/media pages (e.g., x.com/twitter, WeChat articles, defuddle.md/r.jina.ai proxy URLs, GitHub pages) into Markdown that the agent reads as part of its operation, so untrusted third‑party content could inject instructions that influence saving, extraction, or follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime fetch logic explicitly curls external proxy endpoints (e.g., https://defuddle.md/{url} and https://r.jina.ai/{url}) to retrieve arbitrary remote content which is injected into the agent's returned Markdown (thereby able to directly control prompts/instructions), and those proxies are relied upon as required fetch methods in the runtime cascade.