Knowledge Manager Workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The workflow explicitly ingests and scrapes open web and social media content (e.g., Phase 1 lists https://threads.net/, https://instagram.com/, and generic https://* as input sources and Phase 2 calls km-browser-abstraction/scrape_url to extract that content), so the agent will read untrusted, user-generated third-party material as part of its processing.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls scrape_url at runtime against arbitrary user-supplied sites (e.g. "https://", including "https://threads.net/", "https://instagram.com/", and "notion.so/"), injecting the fetched page content into the agent workflow — meaning remote content retrieved during runtime can directly influence the agent's prompts/behavior.