aliyun-qwen-ocr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts an image parameter as an HTTPS URL (see SKILL.md "Request
• image (string, required): HTTPS URL, local path, or data: URL" and scripts/prepare_ocr_request.py which builds a message with an "image_url" from the provided --image), meaning the agent will fetch and OCR arbitrary public/user-provided images whose text could contain instructions that influence subsequent decisions.