ljg-paper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md execution steps (Step 1) explicitly fetch and ingest content from public sources—e.g., "arxiv URL → 调用 ljg-fetch 获取, or WebFetch 获取摘要+正文" and "WebSearch 查找论文"—so the agent reads untrusted third‑party web pages/PDFs as part of its workflow, which can materially influence its decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). Flagging arxiv.org (user-supplied arXiv URLs fetched at runtime via "ljg-fetch"/WebFetch) because the skill explicitly fetches remote paper content at runtime and injects that content into the agent's analysis pipeline, which directly becomes the model input/context driving its prompts and outputs.