Arxiv Paper Reader

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches public arXiv content (RSS/API and LaTeX e-print tarballs via arxiv_fetcher/fetcher.py, e.g., fetch_via_rss/_fetch_via_api and fetch_latex_source) and then passes the extracted paper text (ParsedPaper.first_pass_text, main_body_text, appendix_text) directly into LLM prompts in agents/reader_agent.py and agents/classifier_agent.py, so untrusted, user-submitted web content is read/interpreted at runtime and can change agent decisions/workflow (e.g., APPENDIX_NEEDED and subsequent reading actions).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches external paper content at runtime from arXiv (e.g. https://rss.arxiv.org/rss/{cat} and https://arxiv.org/abs/ / https://arxiv.org/pdf/.pdf), and those fetched abstracts/LaTeX are injected into LLM prompts, so remote content directly controls the agent's prompt context.