reproduce

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and parse public third‑party content (e.g., arXiv HTML via mcp__tavily__tavily_extract in references/01-paper-fetch.md, HuggingFace paper/dataset searches, GitHub/PapersWithCode lookups) and to extract hyperparameters, code, and datasets from those untrusted sources which directly drive implementation, training runs, and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches external content at runtime — e.g. arXiv HTML via "https://arxiv.org/html/" (used to populate paper.md and thus feed the agent's instruction/context) and arbitrary git repositories via "git clone --depth 1 code/" (the cloned code is then run/installed as part of the implementation), which means remote content can directly control prompts or execute code.