qiaomu-anything-to-notebooklm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests untrusted public third‑party content (arbitrary webpages, social posts, paywalled news, WeChat articles, YouTube, podcasts, Feishu docs) via components like scripts/fetch_url.sh, wexin-read-mcp and feishu-read-mcp, scripts/get_podcast_transcript.py and then uploads and queries NotebookLM (main.py / SKILL.md deep_analysis and ask_notebooklm) so that externally sourced content is read and can directly drive tool calls and subsequent actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime fetch script (scripts/fetch_url.sh) calls external proxy endpoints such as https://r.jina.ai/, https://defuddle.md/, uses archive.today (https://archive.today/newest/) and even falls back to running "npx agent-fetch …" — these are invoked at runtime to retrieve article content (and npx can fetch/execute remote npm code), and the retrieved content is injected into the agent/NotebookLM pipeline to drive prompts/generation, so they constitute high‑risk external dependencies.