claude-agent-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to arbitrary public web content via built-in WebSearch/WebFetch tools (references/02-built-in-tools.md and 00-overview.md) and HTTP MCP servers (references/04-mcp-integration.md), which the agent ingests and uses in the agent loop to drive subsequent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime MCP server connections that fetch and load remote tool definitions (e.g., HTTP/SSE endpoints like https://mcp.example.com/db and https://mcp.example.com/stream in the examples) — these remote servers provide tools/resources that are loaded into the agent context and can directly control agent behavior (and the docs also show starting subprocesses via npx which fetches and executes remote npm packages), so these runtime endpoints/packages are a high-risk external dependency.