read

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and reference scripts (references/read-methods.md and scripts/fetch.sh / fetch_weixin.py) explicitly fetch and convert arbitrary public URLs (e.g., x.com/Twitter, mp.weixin.qq.com, general websites via defuddle.md and r.jina.ai) into Markdown that the agent ingests and returns, exposing it to untrusted user-generated third‑party content that can influence subsequent saves/extraction or downstream actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime fetch pipeline calls external proxy endpoints (e.g., https://defuddle.md/{url} and https://r.jina.ai/{url}) and may run npx --yes agent-fetch (which downloads and executes a package) or fetch raw files from https://raw.githubusercontent.com, and the returned remote content is directly injected as the agent's Markdown output/context—so these URLs are used at runtime and can directly control prompts or execute remote code.