card

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Research & Fact Confirmation workflow in SKILL.md explicitly instructs the agent to run deep research on external URLs, tweets, and topic phrases (e.g., "把这篇文章做成卡片：https://example.com/post") and to ingest sources/URLs into sources.md, so the agent will fetch and interpret untrusted public web content that can change its planning and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs runtime package installs and browser downloads (e.g., "npm install -D playwright" / "npx playwright install chromium" and fallback "npm i -g voxflow"), which fetch code from the npm registry (https://registry.npmjs.org/playwright, https://registry.npmjs.org/voxflow) and browser binaries from Playwright's CDN (e.g., https://playwright.azureedge.net), meaning remote content is fetched at runtime, installed/executed locally, and is required for rendering—so these external URLs present a runtime code-execution dependency.