citation-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests content from open public sources — e.g., search_google_scholar.py (Google Scholar scraping), search_pubmed.py (PubMed E-utilities), and extract_metadata.py which accepts arbitrary URLs and queries CrossRef/arXiv/DataCite — and the agent is expected to read and interpret that third-party metadata/content as part of its workflow, creating a clear vector for indirect prompt injection.