zhihu-html

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md Step 2 and scripts/extract-refs.mjs / convert.mjs) extracts arbitrary URLs from user Markdown into refs.json and explicitly states the AI may access those URLs (or use their content) to generate the dataText field, meaning untrusted third‑party web pages can be read and can influence the AI's generated HTML.