active-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to browse and extract content from open public websites (e.g., actionbook browser open "https://arxiv.org/search/advanced", Google/Bing search results, GitHub, HuggingFace, and arbitrary discovered URLs) and to read and synthesize that untrusted third‑party content into reports, which could allow indirect prompt injection to influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires querying the Actionbook API at runtime (e.g., via the actionbook CLI call actionbook get "arxiv.org:/search/advanced:default") to retrieve selectors that directly control the agent's subsequent browsing actions and instructions, making this a runtime external dependency that controls agent behavior.