search-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Multiple SKILL.md files (for example arxiv-api, arxiv-paper-processor, chatpaper-guide, baidu-scholar-guide, base-academic-search, and findpapers-guide) explicitly instruct the agent to fetch and process public, user-submitted content from open APIs/websites (arXiv, bioRxiv, Baidu Scholar, BASE, etc.) and to read/interpret that content to generate summaries, reports, and follow-up actions, which provides a clear path for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The ChatPaper skill instructs users to "git clone https://github.com/kaixindelele/ChatPaper.git" and then run the code (python chat_paper.py), which fetches remote code at runtime and executes it (and controls LLM prompts), so this external URL is a runtime dependency that can execute remote code.