citation-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to search and ingest content from public third‑party sources (Google Scholar, PubMed, CrossRef, arXiv) and even arbitrary URLs via scripts like search_google_scholar.py and extract_metadata.py, so untrusted public web content is read and used to drive citation selection and downstream actions.