deep-analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow explicitly instructs the agent to fetch and browser-scrape public third‑party sites (e.g., xueqiu, cninfo, eastmoney, gov.cn) via WebSearch and Playwright and to read/interpret that untrusted, user‑generated web content (including social media/forums) as part of its analysis pipeline and decision-making (see HARD-GATE-QUALITATIVE, Task 2.5, and Task 1 fetcher instructions), so external pages can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs a background check of the GitHub latest release for the repository (https://github.com/wbh604/UZI-Skill or its releases API like https://api.github.com/repos/wbh604/UZI-Skill/releases/latest) and, if an update prompt exists, writes that remote content into .cache/_global/update_prompt.md which must be shown as the first message — i.e., runtime-fetched GitHub content is injected into the agent's conversation prompt, meeting the criteria for a risky external dependency.