convo-agent-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and processes untrusted, user-generated RTM/RTC messages and transcripts (see references/04-rtm-messaging.md and 06-transcript.md / ConversationalAIAPI) and also allows configuring external LLM/MCP endpoints and avatar/tool endpoints in the agent invite payload (see snippets/agent-invite-route.ts), so third-party content and responses can be read and materially influence agent behavior (enabling indirect prompt injection).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The server-side invite/update flow sends the configured LLM/MCP endpoint to Agora and will cause runtime calls to external LLM/MCP URLs (e.g. https://api.openai.com/v1/chat/completions) which directly control agent prompts/responses, so these external URLs are used at runtime and are required for agent behavior.