read

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and converts arbitrary public URLs and PDFs (see SKILL.md routing and references/read-methods.md and scripts/fetch.sh which call defuddle.md, r.jina.ai, agent-fetch, and scripts/fetch_weixin.py / fetch_feishu.py) and returns that untrusted, user-generated web content as Markdown (and can save it for downstream /learn automation), so third‑party page content could indirectly inject instructions into the agent's workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls external proxies at runtime (https://defuddle.md/{url} and https://r.jina.ai/{url}) and may fetch raw GitHub content (https://raw.githubusercontent.com/...) which are used to produce Markdown that is injected into the agent's context (thus able to control prompts), and it also invokes npx --yes agent-fetch which fetches and executes remote npm code at runtime—together meeting the criteria for remote content controlling prompts or executing code.