knowledge-absorber

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and fetches arbitrary public URLs and webpages (see SKILL.md steps "URL 链接" → 2.1 摄取) using content_ingester.py with requests/DrissionPage and build_source_package.py, and that untrusted, user‑generated page content is parsed and fed into downstream logic (e.g., knowledge card generation and build_knowledge_poster_assets.py which builds prompts and model payloads), so third‑party content can materially influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's ingestion pipeline (scripts/content_ingester.py / build_source_package.py) fetches arbitrary user-supplied HTTP(S) targets at runtime (via requests or DrissionPage) and then incorporates that fetched content into generated prompts/wand-prompts and chat payloads (e.g., used to build wan_prompt.txt and the lesson payload sent to the model), so external URLs such as https://raw.githubusercontent.com/... (or any https://... user-provided target) can directly control agent prompts.