create-tldr-page

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires and fetches public documentation URLs (see "Prompt Parameters" → URL and "Usage/Syntax" showing "/create-tldr-page #fetch " and the note "If one or more URLs are passed... apply #tool:fetch"), so the agent ingests and interprets arbitrary third‑party webpages to generate TLDR pages, allowing untrusted content to influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires fetching a user-supplied documentation URL at runtime (e.g., it explicitly calls #fetch on URLs such as https://raw.githubusercontent.com/jhauga/tldr/refs/heads/main/pages/common/git.md or any arbitrary docs URL) and injects that fetched content into the agent context to generate the tldr, so external content can directly control the agent's output.