librarian

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs the agent to run web_search (Perplexity) and use fetch_content to clone and read arbitrary public GitHub repos and URLs (including YouTube) as part of its normal workflow, so it ingests untrusted, user-generated third-party content that can materially influence decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill performs runtime fetches/clones of arbitrary GitHub repositories (e.g., "https://github.com/owner/repo" / "https://github.com//") via fetch_content and then injects those fetched files into the agent's context to construct prompts and answers, so external repo content can directly control the agent's instructions and outputs.