deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (e.g., reference/methodology.md Phase 3 RETRIEVE and SKILL.md/README) explicitly instructs the agent to run WebSearch/WebFetch/search-cli and spawn Task sub-agents to fetch and parse open/public URLs (news sites, blogs, arXiv, arbitrary web pages and PDFs) and to use those untrusted, user-generated third‑party contents as evidence that directly drives outline changes, claim verification, agent spawning, and report generation—creating a clear avenue for indirect prompt injection.