lit-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (e.g., Mode B "Search for new papers" and the PDF download list generation) explicitly instructs the agent to perform web searches and ingest/parse results from public sources like Google Scholar, DOIs, and other open websites to extract paper metadata and then act on those findings (adding to MASTER_LIST, .bib, and driving subsequent review actions), which clearly exposes the agent to untrusted third-party content.