citation-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to run scripts that fetch and scrape open web sources (e.g., scripts/search_google_scholar.py, scripts/search_pubmed.py, and scripts/extract_metadata.py which query Google Scholar, PubMed E-utilities, CrossRef, arXiv, and arbitrary article URLs) so the agent will ingest untrusted/public third‑party content (including preprints and scraped pages) and use that content to drive metadata extraction, validation, and automated fixes — satisfying the criteria for indirect prompt injection risk.