image-ocr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and ingests arbitrary user/third-party images (e.g., download_image(message.file_key) in SKILL.md and message.download_image() in integration_example.py), runs OCR on them, and directly feeds the extracted text into model prompts—so untrusted, user-generated content can influence agent actions and prompts.