research-writing-assistant

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires the agent to perform web searches and ingest public third‑party literature as part of its required workflow (see modules/paper-outline.md: "必须执行：使用WebSearch搜索..." and modules/literature-review.md: "英文文献可通过网络搜索获取"), so the agent will read untrusted public web content that can materially influence planning and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's environment-setup scripts explicitly download and execute Miniconda installers at runtime (e.g., curl -fsSL "https://repo.anaconda.com/miniconda/Miniconda3-latest-MacOSX-arm64.sh" -o "$INSTALLER" and Invoke-WebRequest -Uri "https://repo.anaconda.com/miniconda/Miniconda3-latest-Windows-x86_64.exe"), which fetches remote executable content that is then run—meeting the criteria for a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). This skill instructs the agent to create/read local project files and to run local bash/PowerShell scripts (notably using PowerShell -ExecutionPolicy Bypass) and to install/configure Miniconda/environments, which involves executing code and explicitly bypassing a Windows security mechanism even though it does not request sudo, create users, or modify system-level configs.