mineru-extract

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts arbitrary public URLs and submits them to the MinerU API, then downloads and returns extracted Markdown (see SKILL.md and scripts/mineru_parse_documents.py / scripts/mineru_extract.py which accept --file-sources or a source URL and can emit markdown in the JSON/stdout), so untrusted, user-generated web content is fetched and presented for the agent to read and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill calls the MinerU API (default MINERU_API_BASE=https://mineru.net) at runtime, polls for a task and downloads the returned full_zip_url, and it can emit the extracted Markdown inline (via --emit-markdown / --print), which is high-confidence evidence that externally-fetched content from https://mineru.net (and the returned full_zip_url) can be injected into agent input and thus directly control prompts.