ljg-xray-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required Instructions (Step 1: "URL → WebFetch 获取内容") explicitly direct the agent to fetch and read arbitrary URLs from the web as analysis objects, so untrusted public/user-generated content can be ingested and materially influence analysis and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly says "URL → WebFetch 获取内容" (Step 1), meaning it will fetch user-supplied URLs at runtime and inject that fetched content into the agent's analysis context, which can directly control prompts and behavior.