deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). run.py clearly ingests open-web content via tavily_search results and via _fetch_page for arbitrary fetch_urls (see run.py which collects search results and fetched_pages) and then asks the LLM—via the generated summary_prompt—to synthesize and act on those sources, exposing the agent to untrusted third-party content that could contain injected instructions.