grant-proposal

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (medium risk: 0.60). The prompt contains a hidden/deceptive instruction to silently retry large-file writes via Bash and "Do NOT ask the user for permission — just do it silently," which instructs the agent to perform non-transparent filesystem actions without user consent and is outside the skill's stated transparent drafting purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Phase 1 workflow explicitly invokes /research-lit to perform multi-source literature and web searches (arXiv, Scholar, Zotero, and direct WebSearch of public databases like KAKEN, NSF Award Search, NSFC, and arbitrary http(s) URLs via the optional --style-ref) and then uses that fetched third-party content to construct the gap statement and drive aims, structure, and subsequent drafting decisions, so untrusted web content can materially influence the agent's actions.