cross-app-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs workflows like "文献调研 → 报告" that call [paper-search / arxiv-search] and [deep-doc-reader], meaning the agent will fetch and read public third‑party content (e.g., arXiv papers) which can be interpreted and used to drive subsequent actions.