auto-paper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly ingests and acts on open/public third‑party content — e.g., Phase 0 “read submission guide (PDF/URL) / fetch_webpage”, Phase 2.1 full‑text ingestion via pubmed-search/get_fulltext(pmcid), unified_search/find_related_articles in Phase 7 — and the agent directly reads and uses that content to populate journal_profile, select citations, drive writing/patch_draft, and autonomous review decisions, so untrusted external pages or papers could materially influence tool calls and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches and ingests external documents at runtime — e.g., a user-provided submission guide URL fetched via fetch_webpage and PubMed full-text URLs fetched via the pubmed-search/get_fulltext API (e.g., https://www.ncbi.nlm.nih.gov/pmc/…), which are then parsed to populate journal-profile.yaml and drive pipeline instructions, so remote content can directly control agent behavior.