autoresearch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md's "Bootstrap: Literature and Hypotheses" explicitly instructs the agent to search and ingest open/public sources (Exa MCP via web_search_exa, Semantic Scholar, arXiv, CrossRef) and to save/read paper summaries and URLs, so the agent will read untrusted third‑party web content that can directly influence hypotheses, experiments, and next actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly requires setting up persistent agent continuity (a /loop and a 10-minute cron job), instructs the agent to act autonomously without asking for user permission, and directs the agent to configure system-scheduled tasks and send out reports — actions that modify machine state and enable persistent background execution even though it does not explicitly request sudo or creating users.