blog-post

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's writing-guidelines.md explicitly instructs the agent to fetch webpage titles ("Use the webpage title (curl fetch it!) as the link text for each reference-style link"), which requires retrieving content from arbitrary public web pages (untrusted third-party sources) that the agent is expected to read and that can influence writing and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs cloning and using the remote repository https://github.com/jim60105/blog.git at runtime (git clone ... and git submodule update) and then running repository scripts such as ./switch-site.sh, so content fetched from that URL is a required dependency and can execute remote code that directly affects the workflow.