style-modeler

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). Yes — the prompt explicitly instructs stealthy/evasive actions (e.g., "微信公众号特规：务必使用绕过安全限制的参数配置", configuring User-Agent and disable-blink-features, serial extraction to avoid "风控") and mandates covert behaviors (saving extracted content to project dirs and running normalization scripts) that go beyond and attempt to circumvent normal extraction/security boundaries of the stated style-modeling purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly requires calling a web-article-extractor/browser tool to fetch and extract user-supplied public article URLs (including WeChat public accounts) and then uses the extracted third‑party article text as the analysis sample that drives modeling and file updates, so untrusted web content can directly influence agent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires calling an article extractor on user-supplied web article URLs (e.g., 微信公众号/other article links) at runtime and uses the fetched raw text as the analysis sample that directly controls the agent's modeling prompts and outputs, so user-provided article URLs are a runtime external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly instructs the agent to "bypass security restrictions" when extracting WeChat articles and to write/overwrite files and run a normalization script in the project directories, which directs bypassing protections and modifying the machine's filesystem state.