dingtalk-workflow-knowledge-base

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly describes fetching and scraping arbitrary public URLs (e.g., "支持的内容格式" listing 文章网页, YouTube, Twitter/X, 公众号, 知乎, and "Step 1: 抓取网页内容 使用 web_reader / WebSearch 获取文章内容") and then has the agent read/interpret that content to generate summaries, tags, and take follow-up actions (saving/updating records), which exposes it to untrusted third‑party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches arbitrary external webpages at runtime via web_reader/WebSearch and injects the fetched content into the AI processing pipeline (e.g., example URL https://example.com/ai-trends-2026), so external content can directly influence agent prompts and outputs.