bookstrap-ingest

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts and fetches arbitrary URLs ("If URL: fetch content using WebFetch" in the Processing Workflow) and shows example invocations ingesting public web pages (e.g., https://en.wikipedia.org/... and https://archive.org/...), which the ingestion pipeline and LLM-based chunking/entity extraction then read and index—allowing untrusted third-party content to influence downstream behavior.