nsfc-qc

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly and mandatorily fetches and ingests public third‑party content (Crossref/arXiv/Unpaywall APIs and arbitrary bib URL HEAD requests) as implemented in scripts/nsfc_qc_precheck.py (notably _resolve_reference_evidence/_fetch_crossref/_fetch_arxiv/_check_url_accessible) and SKILL.md/CHANGELOG require metadata resolution — and that external data is used as evidence to drive citation P0/P1/P2 decisions, so untrusted web content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The precheck script performs runtime HTTP requests to external endpoints—e.g. Crossref (https://api.crossref.org/works/), arXiv (http://export.arxiv.org/api/query?...), Unpaywall (https://api.unpaywall.org/v2/?email=...), and arbitrary bib "url" fields (including .pdf links)—and writes the fetched metadata/PDF excerpts into reference_evidence.jsonl which is then consumed by AI threads, so untrusted remote content is fetched at runtime and injected into the model context (prompt/evidence) as a required dependency.