azure-env-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs fetching live, public third‑party content (e.g., via the "Required: MCP Tools" calls like mcp_bicep_experim_list_avm_metadata and microsoft_docs_search("Private Endpoint Bicep") and external URLs such as raw.githubusercontent.com and fluxcd.io), which are untrusted/public sources and are expected to be read/used as part of the workflow, creating a clear indirect prompt‑injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Bicep examples include a CustomScriptExtension that fetches and runs remote scripts (e.g. https://raw.githubusercontent.com/yourrepo/scripts/squid-setup.sh) during VM deployment, which is a runtime fetch that will execute external code.