tenders-finder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs running parallel TinyFish agents to scrape live public portals (GeBIZ, Tenders On Time, Bid Detail, Tenders Info, Global Tenders), so the agent ingests untrusted third‑party web content that can directly influence its filtering, deduplication, and output decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill launches TinyFish agents at runtime that fetch and inject live page content from the listed portals (https://www.gebiz.gov.sg/, https://www.tendersontime.com/singapore-tenders/, https://www.biddetail.com/singapore-tenders, https://www.tendersinfo.com/global-singapore-tenders.php, https://www.globaltenders.com/government-tenders-singapore) into the agent context to determine outputs, and those external pages are required dependencies for the skill to operate.