llm-wiki

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches arbitrary public URLs via the ingest workflow (SKILL.md Step 3 and scripts/ingest-url.sh which calls the Scrapling CLI to save raw captures under raw/sources), and those untrusted, user-provided web captures are read and synthesized by the LLM to drive wiki updates and filing decisions, so third‑party content can materially influence agent actions and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The ingest script (scripts/ingest-url.sh) invokes the scrapling CLI at runtime to fetch arbitrary webpages (e.g. "https://example.com/article") and saves that content into raw/sources for the LLM to read/summarize, which is a runtime fetch of external content that can directly influence model prompts (prompt‑injection risk).