knowledge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly supports ingesting arbitrary HTTP(S) URLs (see SKILL.md example and scripts/graph.py ingest_document which calls _download_to_project_data using urllib.request.urlretrieve), then parses/chunks that third‑party content and feeds it to LLM extraction, the vector store, and the knowledge graph—so untrusted web-hosted documents can be read/interpreted and materially influence later tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill downloads arbitrary HTTP(S) documents at runtime (e.g., https://arxiv.org/pdf/2601.03192) via _download_to_project_data and then feeds the fetched text into the RAG/LLM pipeline (entity extraction, chunking, embeddings), which effectively injects remote content into the model context and can directly influence prompts/outputs.