blaxel

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill lets agents execute sandbox commands that fetch/run external packages (e.g., the "npm install" example in Step 2), retrieve tool definitions from a sandbox's MCP endpoint (https://<SANDBOX_URL>/mcp via bl_tools), and mount/read Agent Drive shared files — all explicit workflow steps that ingest untrusted/user-provided third‑party content which can materially change tools or agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches tool definitions at runtime from each sandbox's MCP endpoint (https://<SANDBOX_URL>/mcp) via bl_tools, and those returned tool definitions provide process-management/filesystem/code-generation capabilities that can directly control agent behavior or cause remote code execution.