flyai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls the Fliggy MCP via the flyai CLI (e.g., fliggy-fast-search, search-flight, search-hotels, search-poi) and ingests public marketplace/listing fields like title, review, jumpUrl, picUrl/mainPic and IDs from Fliggy/Taobao search results (as required by SKILL.md and the references) which are public/user-generated content that the agent must read and use to form booking links and recommendations, exposing it to untrusted third-party input that could carry indirect prompt-injection instructions.