knowledge-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's URL ingestion workflow (scripts/knowledge_save_from_url.py — e.g., get_web_content using https://r.jina.ai/{url}, get_bilibili_content using yt-dlp, get_wechat_content calling an external wechat-article-for-ai script, and get_xiaohongshu_content/playwright for Xiaohongshu) fetches public/user-generated web and social-media content and then feeds that content into AI-summary and embedding generation in scripts/knowledge_save.py, so untrusted third‑party content is directly read and can influence model outputs and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls https://r.jina.ai/{url} at runtime in get_web_content to fetch arbitrary webpage text which is then passed into save_knowledge and used in generate_ai_summary (i.e., injected into the prompt sent to the remote chat/completion API), so remote content can directly influence the model prompt and is a required runtime dependency for the "web" source type.