system-study

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs parallel sub-agents to fetch and ingest public web sources (e.g., GitHub repos, leaked system-prompt aggregators, community blogs) — see reference/stage-3-subagent-templates.md (Agent C: "必须看到原文...每个案例至少 3 个原文片段" and Agent D: "用 WebSearch + WebFetch") and Stage 2 plan which requires listing specific URLs — and then requires the agent to interpret those materials (Agent E must give X/10 倾向 and "对用户的启示"), so untrusted third‑party content can materially influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's sub-agent templates explicitly require runtime web fetches of original prompt/code fragments (e.g., GitHub repos such as github.com/jujumilk3/leaked-system-prompts) and instruct agents to include those fetched fragments in their outputs/notes, which means external content would be fetched at runtime and injected into the model context thereby directly influencing prompts and is treated as a required dependency.