agentphone

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted user-generated content (call transcripts, SMS, recentHistory) delivered via webhooks and API endpoints (e.g., webhook payloads, GET /v1/calls/{call_id}/transcript, stream_transcript, GET /v1/numbers/{id}/messages) and the provided webhook handler examples show the agent reading that content and using it to drive LLM responses, tool calls, TTS, and call actions, so third-party content can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's .mcp.json config launches "npx -y agentphone-mcp@0.2.0" at runtime, which fetches and executes remote npm package code (agentphone-mcp) that the skill depends on, so it is a runtime external dependency that executes remote code.