gs-fulltext

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's evaluate_script and navigate_page steps explicitly scrape and extract links and metadata from live Google Scholar result pages (and may open publisher, DOI, or Sci-Hub pages), meaning the agent ingests untrusted public web content that could contain instructions influencing which links/tools it uses.