agent_team

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly dispatches workers to perform web searches (e.g., SKILL.md "并行搜索与信息汇总" / "搜索 Google 的最新 AI 进展") and tools.py's dispatch_task and sync_task_context fetch and stream responses from worker endpoints (POST to {worker_url}/api/chat and GET http://localhost:{port}/api/context/leader_summary), so the agent ingests untrusted, third‑party (web/user‑generated) content returned by those nodes which can materially influence subsequent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill at runtime sends and receives executable instructions to remote worker endpoints (e.g., POSTing task payloads to {worker_url}/api/chat and metadata to {worker_url}/api/sessions/{session_id}/metadata, and querying http://localhost:/api/context/*), meaning those URLs are used during runtime to deliver prompts that cause remote agents to execute code and are required for the skill to function.