karpathy-kb

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required ingest and compile procedures explicitly instruct scraping arbitrary web pages and social media (Procedure 2: "firecrawl scrape " and TweetSmash bookmark pulls) into /raw/, and the LLM is then required to "load the candidate raw sources fully into context" (Procedure 3 and references/architecture.md), meaning untrusted third‑party content is fetched and directly read/interpreted by the agent.