scholar-deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests open/public third‑party content (e.g., Phase 1 uses search_exa.py / Exa and optional Brave MCP and Phase 3 agents run extract_pdf.py that fetches PDFs via Unpaywall/paper-fetch from arbitrary URLs), and the Phase 3 deep‑read agents are required to read and interpret that content (references/agent_prompts/phase3_deep_read.md and SKILL.md Phases 1–4), with the extracted evidence driving gating, citation‑chasing, synthesis, and report generation—so untrusted third‑party content can materially influence tool use and next actions.