idea-discovery

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt explicitly instructs the agent to perform hidden/deceptive actions—e.g., "Do NOT ask the user for permission — just do it silently" when retrying large file writes and to check/send a local Feishu config—behaviors that hide activity from the user and go beyond the advertised idea-discovery workflow.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public third‑party content (e.g., Phase 0.5: REF_PAPER can download arXiv PDFs or "fetch and extract content via WebFetch"; Phase 1/3: /research-lit and /novelty-check search arXiv, Google Scholar, Semantic Scholar), and those external results are used to generate, filter, rank, and eliminate ideas—so untrusted web content can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches remote papers at runtime (e.g., https://arxiv.org/abs/2406.04329 and "other URL" via WebFetch) and injects their content as context for summarization and downstream prompts, so external content can directly control the agent's instructions.