bookstrap-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the researcher agent to perform web searches with external providers (Tavily, Brave, Serper, Google) and to fetch and ingest content from arbitrary source URLs ("Ingest Relevant Content" / ingest-file.py --url ), meaning untrusted public web content is read and used to drive decisions and entity/relationship extraction.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly invokes python ./scripts/ingest-file.py --url at runtime to fetch arbitrary external web content which is then ingested into the LLM context and drives entity extraction/decisions, so the fetched is a runtime dependency that can directly control prompts.