aap-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports SCM-backed projects and SCM syncs (update_project / get_project_update_logs) and Ansible Galaxy searches (search_galaxy_collections / search_galaxy_roles), which fetch and ingest content from public/untrusted repositories and galleries that the agent may read and then act on (e.g., running playbooks), enabling indirect prompt-injection via third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires cloning and running the external MCP server repository https://github.com/sibilleb/AAP-Enterprise-MCP-Server (install: "git clone" and run via "uv run ansible.py"), meaning remote code is fetched and executed as a required runtime dependency.