automation-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill set clearly ingests untrusted public content as part of its workflows — e.g., data-collection-automation's research_etl_pipeline reads arbitrary csv_url sources (pd.read_csv(source["url"])), mle-agent-guide describes automated arXiv paper discovery/analysis, and paper-to-agent-guide parses public papers and links to OpenAlex/CrossRef — all of which the agent is expected to read and use to drive subsequent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The AI-Scientist-v2 and RD-Agent skill docs explicitly instruct cloning and installing remote repositories (https://github.com/SakanaAI/AI-Scientist-v2 and https://github.com/microsoft/RD-Agent.git), which are fetched at setup/runtime and contain code that will be executed and drive agentic prompts/behavior, so they are runtime external dependencies that control execution.