deep-analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly requires the agent to fetch and ingest open/public third‑party content (via WebSearch, Chrome/Playwright MCP, mx_api, and direct scrapes of sites like cninfo, xueqiu, eastmoney, gov.cn, forums and social media) and to read/interpret those results as mandatory parts of the workflow (see HARD‑GATE‑QUALITATIVE, Task 1 / Task 2.5, Playwright/fallback and many WebSearch/Playwright instructions), so untrusted user‑generated web content can materially influence the agent's decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly performs a runtime "background check" of the project's GitHub releases and will write/display the fetched release prompt (update_prompt.md) to the user (i.e., it pulls content from GitHub releases at runtime and injects it into the agent's first message), so the external origin https://github.com/*/releases/latest is a runtime-controlled prompt source that the skill depends on.