ima-copilot

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime search workflow (scripts/search_fanout.py) calls the IMA OpenAPI endpoints (e.g., https://ima.qq.com/openapi/wiki/v1/search_knowledge_base and wiki/v1/search_knowledge) and ingests/displayes KB hits (highlight_content, titles, etc.) from user/subscribed knowledge bases—third-party, potentially user-generated content—which the agent reads and uses to render results and drive follow-up actions; the installer script (scripts/install_ima_skill.sh) also fetches upstream archives from https://app-dl.ima.qq.com/skills/, further showing required runtime fetching of external content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The installer script fetches and unzips the upstream skill at runtime from https://app-dl.ima.qq.com/skills/ima-skills-.zip (and then installs it via npx skills add, which pulls the vercel-labs/skills runtime), so remote code and skill content are downloaded and installed into agent skill directories and thus can directly control agent behavior.