document-chat-interface

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's document_processors (examples/document_processors.py) fetch and ingest arbitrary public content — e.g., extract_web_content(url) scrapes arbitrary URLs, extract_github_content(repo_url) pulls GitHub repo files, and extract_youtube_content(video_id) retrieves YouTube transcripts — which the agent then reads and uses to answer queries, exposing it to untrusted user-generated content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime fetches via requests.get (notably GitHub API URLs like https://api.github.com/repos///contents in extract_github_content and arbitrary web URLs in extract_web_content) and the fetched file/page content is incorporated into the document context used to build LLM prompts, so external content can directly control prompts.