Missing User Warnings
Medium
- Confidence
- 87% confidence
- Finding
- The script submits a user-supplied PDF URL to the third-party MinerU API, which means URLs and referenced documents are disclosed to an external service without any explicit warning, consent prompt, or trust boundary enforcement. In a research-agent context, this is more dangerous because users may provide private preprints, internal documents, or sensitive URLs expecting only local processing.
