anndata

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly instructs reading remote, arbitrary files (e.g., ad.read_h5ad(url, backed='r') and fsspec.get_mapper('https://...') → ad.read_zarr(...)) in SKILL.md / references/io_operations.md, so it fetches untrusted public content (URLs/S3/Zarr) which the agent is expected to load and act on (filtering, metadata-driven processing), enabling indirect prompt injection.