tooluniverse-literature-deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and extract full-text snippets from open/public sources (e.g., EuropePMC_search_articles, PubMed/PMC_search_papers, SemanticScholar_get_pdf_snippets, ArXiv_search_papers, openalex_literature_search and even get_webpage_text_from_url) and to use those untrusted third-party texts to verify claims and drive evidence grading, theme extraction, and subsequent actions, which exposes the agent to indirect prompt-injection from web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly demonstrates runtime fetching and ingestion of external article URLs (e.g., get_webpage_text_from_url(url="https://doi.org/10.1016/...")) and PDF/full-text snippets (open_access_pdf_url) which are then injected into the agent context for verification, meaning external content loaded from URLs like https://doi.org/10.1016/... can directly control prompts.