zread

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly calls the zread tool to search and read GitHub repository documents, issues, and commits via the Zhipu CodePlan MCP server (e.g., "search GitHub repositories (documents, issues, commits)"), which exposes the agent to untrusted, user-generated web content that the agent is expected to read and could materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill calls the external MCP endpoint https://open.bigmodel.cn/api/mcp/zread/mcp at runtime to fetch repository documentation that is injected into the agent’s context and thus can directly control prompts and agent behavior, and the skill depends on this endpoint to function.