qwen-asr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches audio from arbitrary public URLs (see service/main.py transcribe_audio / transcribe_url which uses httpx to download request.audio_url, and scripts/asr.py / SKILL.md which call /transcribe_url), then transcribes that untrusted third-party content into text the agent would read—allowing spoken instructions on public/ user-provided pages to influence agent behavior.