Search SOP

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to use Layer 1.5 "web_fetch" to access arbitrary public academic URLs (author/lab homepages, conference pages, GitHub READMEs, OA links) and Layer 2 Browser RPA to scrape sites like Google Scholar/CNKI/etc., and requires extracting and acting on that third‑party page content (routing, result evaluation, library_add_paper), so untrusted third‑party content can materially influence agent behavior.