reachy-mini

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md shows loading and executing a recorded-move library from HuggingFace (RecordedMoves("pollen-robotics/reachy-mini-dances-library")), a public user-hosted source whose untrusted, user-generated motion data is fetched and then interpreted/executed by the robot, so third-party content can materially influence behavior.