data-pro-max

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's notebooklm workflow and tools (see .agent/skills/notebooklm/SKILL.md and its references/mcp_tools.md and best_practices.md) explicitly allow adding and querying external web URLs, Drive/PDF sources and using research_start/import to fetch public web content that the agent must read and act on (notebook_query + mandated follow-up logic), which exposes the agent to untrusted third-party content that could carry indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The notebooklm skill exposes MCP tools (source_add, source_get_content, notebook_query) that fetch arbitrary web URLs and Google NotebookLM content (e.g., https://notebooklm.google.com) at runtime and inject that remote content into the model context, which can directly control agent prompts and outputs.