citation-audit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires live web lookups (WEB_SEARCH = required) and Step 3's reviewer prompt instructs "Use web/DBLP/arXiv search" and to verify existence/context from those public sites, so the agent will fetch and interpret untrusted third‑party web content (arXiv/DBLP/OpenReview/etc.) that can change audit verdicts and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires a fresh cross-model reviewer with "WEB_SEARCH = required" that will perform live lookups of bibliographic sources (e.g., arXiv and DBLP pages such as https://arxiv.org and https://dblp.org) during runtime and inject the fetched web content into the reviewer context to drive per-entry verdicts, so these external URLs are runtime dependencies that directly influence the agent's prompts/outputs.