worldbook

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's CLI explicitly fetches worldbook content from the public Worldbook site/repo (e.g., "worldbook get github" and https://worldbook.site) and instructs the agent to inject and act on that returned, user-submitted text, which creates a clear path for untrusted third-party prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime "worldbook get" behavior fetches external worldbook text (e.g., from https://worldbook.site), and that fetched content is explicitly injected into the agent context as instructions that directly control prompts, so the external URL is a runtime dependency that can control the agent.