waza

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The resolver and read skill explicitly fetch and ingest arbitrary public URLs (skills/read/SKILL.md and skills/read/references/read-methods.md reference a proxy cascade for arbitrary web pages including X/Twitter, WeChat, PDFs and GitHub), and the routing rules (skills/RESOLVER.md and skills/learn/SKILL.md) require the agent to read those pages as part of workflows (e.g., /read → /learn), so untrusted, user-provided third‑party content is read and can directly influence downstream decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The /read skill calls external proxy fetchers at runtime (e.g., https://defuddle.md/{url}, https://r.jina.ai/{url}) and fetches raw GitHub content (https://raw.githubusercontent.com/...), which are used to inject fetched pages into the model context and can directly control prompts—this is a high-risk runtime dependency.