aris-autonomous-ml-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflows explicitly perform multi-source literature searches and downloads from open/public sites (e.g., "Idea Discovery" lists arXiv, Scholar, Zotero, Obsidian and the arXiv download flag) and the code shows runtime fetching of BibTeX from DBLP/CrossRef, which the agent ingests and uses for novelty checks, review-driven fixes, and pipeline decisions—clearly exposing it to untrusted third-party content that could influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill documents configuring LLM_CHAT_BASE_URL (e.g. "https://open.bigmodel.cn/api/paas/v4") which is used at runtime by the bundled llm-chat MCP server to call an external LLM whose responses are injected as the adversarial reviewer and directly drive the agent's review/fix actions, making this remote endpoint a runtime dependency that can control prompts/instructions.