geo-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's scripts clearly fetch and scrape public third‑party content (e.g., Baidu/Bing via scripts/competitor_research.py and scripts/keyword_manager.py, and AI platform pages via scripts/index_checker.py), pass those untrusted/user-generated results into the article generation workflow (scripts/article_generator.py builds LLM prompts from the scraped "真实竞品数据"), and the scraped content directly determines rankings, recommendations, and publishing actions—exposing the agent to indirect prompt injection from open web sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's research and keyword-distillation scripts fetch live search/suggestion pages (e.g., https://www.baidu.com/s, https://suggestion.baidu.com/su and https://www.bing.com/search) at runtime and the retrieved titles/abstracts are injected into the LLM prompt as "真实竞品数据"/comp_text, so remote content directly controls the prompts the agent uses and the agent depends on those searches for its workflow.