paddle-ocr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and processes remote, arbitrary URLs (scripts/layout_caller.py supports --file-url and lib.parse_document handles file_url), SKILL.md documents using --file-url, and the code can download external image URLs (save_images uses urllib.request.urlretrieve), so it ingests untrusted public web content that directly influences outputs and triggers further downloads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires a runtime-configured PaddleOCR layout-parsing API endpoint (PADDLEOCR_DOC_PARSING_API_URL, e.g. https://your-endpoint.example.com/layout-parsing) which the code calls at runtime and whose JSON response (layoutParsingResults[*].markdown.text/images) directly controls the generated Markdown/output, so an external URL controls agent output.