refurbish-demos

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly scrapes and webfetches public company pages (Phase 2 "Discovering pages to scrape" and Phase 3 calls like "scrape_and_build_knowledge" and the WebFetch fallback) and ingests full page text as URL-type knowledge items that the chatbot will read and use, so it consumes untrusted third‑party web content that could contain instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill, at runtime, instructs the MCP endpoint to scrape arbitrary external pages (e.g. https://www.{domain}/, e.g. https://www.domain.de/ and related paths) and then injects the full fetched page text into agent knowledge via add_to_bucket, so remote page content directly controls the agent's outputs.