summarise-paper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly downloads and reads papers from public arXiv URLs (normalising to https://www.arxiv.org/src/...) and ingests user-provided PDFs (converted via pdftoppm and read as images), so it consumes untrusted third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly normalises arXiv abs URLs into src URLs (e.g. https://www.arxiv.org/src/2601.07372) and downloads the paper's LaTeX source at runtime to be read and injected into the model context, which is remote content fetched during execution that can directly control prompts.