aws-agentic-ai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's cross-service docs show agents pulling and executing externally-hosted, user-editable content — e.g., cross-service/agent-persistence-patterns.md describes loading SKILL.md/CLAUDE.md from S3 into agent cwd and using them to change agent behavior, and cross-service/registry-integration.md shows syncing registry records from arbitrary fromUrl endpoints and JSON-parsing inlineContent (MCP/A2A agent cards and schemas) which the agent then uses to deploy/invoke tools — this clearly ingests untrusted third-party content that can influence runtime actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains runtime code that synchronizes agent configuration from S3 (e.g., s3.get_object calls targeting the agent-configs bucket / s3://agent-configs and the S3 Files NFS host .s3-fs..amazonaws.com) which writes CLAUDE.md / SKILL.md into the agent workspace at session start — content that directly controls agent prompts/behavior.