huashu-nvwa

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow (Phase 1 "多源信息采集" with 6 parallel subagents and the Phase 3 "Agentic Protocol") explicitly instructs the agent to perform web searches and call tools like web-article-reader and agent-reach to fetch and ingest public/user-generated sources (Twitter/X, Reddit, YouTube transcripts, articles, arbitrary URLs and even third‑party downloads like LibGen/Z‑Library), and those fetched materials are read and used to drive synthesis and follow‑on actions—i.e., untrusted third‑party content is consumed and can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Phase 1 agents explicitly perform web searches at runtime and ingest external pages (e.g., https://karpathy.github.io/2026/02/12/microgpt/) into the research files that are then used to generate the SKILL.md and the Agentic Protocols, meaning that fetching that URL at runtime can directly shape the agent's prompts/instructions.