agno

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly shows agents using web- and URL-based tools to ingest public third-party content (e.g., SKILL.md examples using YFinanceTools and Image(url="https://...") and references/tools.md listing DuckDuckGoTools, NewspaperTools, HackerNewsTools and an async fetch_data(url) example, plus MCPTools connecting to external URLs), and these fetched, untrusted web/forum/user-generated sources are read and used in workflows such as "Analyze NVIDIA" — allowing third-party content to materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The MultiMCPTools example runs runtime commands that fetch and execute remote code (e.g., "npx -y @openbnb/mcp-server-airbnb --ignore-robots-txt" and "npx -y @modelcontextprotocol/server-brave-search") which would download/execute npm packages and expose MCP-provided tools that directly control the agent's available toolset/behavior.