gs-search

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly navigates to and DOM-scrapes public Google Scholar pages (https://scholar.google.com/scholar?q=...) via an evaluate_script to extract titles, snippets, fullTextUrl and data-cid which the agent then uses to drive follow-up actions (e.g., open links, cited-by, export), thus ingesting untrusted third-party web content that could influence behavior.