scry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly exposes read-only SQL access to the ExoPriors public corpus "229M+ entities spanning forums, papers, social media, government records, and prediction markets" (see SKILL.md header, Quickstart and examples like E1/E2 using scry.search and scry.search_reddit_posts) and returns content_text / candidate sets used for reranking and agent judgements, so untrusted, user-generated third-party text is ingested and can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires runtime calls to https://api.exopriors.com/v1/scry/context?skill_generation=20260313 (and other https://api.exopriors.com/v1/* endpoints such as /v1/scry/schema) whose responses can include directives like "should_update_skill" that cause the agent to instruct the user to run remote-install commands (e.g., npx skills update) and to drive query/behavior decisions, so external content directly controls agent instructions at runtime.