summary

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and downloads PDFs from arbitrary HTTP/HTTPS URLs (Step 1a: "Download PDF from URL", including arXiv/direct PDF links) and then parses and uses the paper's full content (title, abstract, full content, githubLinks, codeLinks) to generate summaries and update index.json, so untrusted third-party content can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). At runtime the skill will download and parse user-supplied PDF URLs (e.g., https://arxiv.org/pdf/1706.03762.pdf) via download-pdf.cjs and inject the extracted full text into the model context, so fetched remote content can directly control prompts/instructions.