arxiv-mcp

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The prompt includes a "Memory Protocol" that explicitly tells the agent to read and write local .claude/context/memory files and to "ASSUME INTERRUPTION", which directs behavior outside the arXiv search/retrieval purpose (accessing and persisting internal agent memory), so it contains deceptive/out-of-scope instructions that could affect agent state or leak sensitive context.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md explicitly directs the agent to fetch and parse public, user-submitted content from arXiv.org (e.g., WebFetch calls to http://export.arxiv.org/api/query and Exa "site:arxiv.org" searches shown in the execution_process and examples), and that fetched abstracts/metadata are read and used to drive subsequent searches and actions, creating a clear avenue for indirect prompt injection.