research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly invokes web search and scraping backends (e.g., SKILL.md timetravel routes and Tool Manifest, Firecrawl BACKEND.md, and last30days BACKEND/README) to fetch Reddit/X and arbitrary public webpages, and then requires the agent to read, synthesize, and act on that untrusted, user-generated content (including producing follow-up prompts and actions), so third-party content can materially influence tool use and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill mandates using the firecrawl CLI to scrape arbitrary external webpages at runtime (e.g., the command "firecrawl scrape https://example.com -o .firecrawl/example.md" is used) and explicitly states the scraped markdown is returned "optimized for LLM context windows" and used in synthesis, so remote content fetched at runtime can directly control prompts/instructions.