agent-framework-azure-ai-py

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly enables web and external-MCP access (e.g., HostedWebSearchTool/Bing in references/tools.md and SKILL.md and HostedMCPTool / MCPStreamableHTTPTool with arbitrary URLs such as https://learn.microsoft.com/api/mcp in references/mcp.md), so the agent is expected to fetch and interpret untrusted public web/MCP content that can influence tool use and responses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill configures MCP tools that the agent connects to at runtime (e.g., MCPStreamableHTTPTool / HostedMCPTool using https://learn.microsoft.com/api/mcp), and those endpoints are relied upon as runtime tool providers that can directly influence agent behavior and enable remote tool execution.