content-extract

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches and parses arbitrary public web pages (via the web_fetch probe and the MinerU wrapper scripts such as mineru-extract/scripts/mineru_parse_documents.py) — including user-generated sites explicitly listed in references/domain-whitelist.md (mp.weixin.qq.com, zhihu, xiaohongshu) — and returns markdown that agents are expected to read and use, exposing it to untrusted third-party content and potential indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes arbitrary, user-supplied URLs at runtime via the --url argument to scripts/content_extract.py (i.e., whatever URL is passed to "python3 scripts/content_extract.py --url ") and inlines the fetched page as markdown in the JSON result that will be fed to downstream agents, so remote page content can directly control prompts/instructions.