xlb-topic-index

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's retrieval pipeline (scripts/retrieve-topic-index.sh + xlb_rag_pipeline.py prefetch and fetch_urls_concurrently, and xlb-open-url.sh) can fetch and convert arbitrary external HTTP URLs (examples shown like youtube.com and github.com in the confirmation template), so the agent may ingest and read untrusted public web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill unconditionally POSTs to the local runtime endpoint http://localhost:5000/getPluginInfo to fetch Markdown that is ingested and can contain executable query/command edges which the pipeline may parse and act on, so this runtime-fetched content can directly control agent behavior.