copilot-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly supports connecting to remote MCP HTTP servers (see "MCP Server Integration" / "Remote HTTP Server" with a configurable url) so the agent can fetch and execute tool outputs from arbitrary HTTP endpoints, which are untrusted third‑party content that can materially influence tool use and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill shows runtime commands that fetch and execute remote code—e.g., invoking "npx -y @modelcontextprotocol/server-filesystem" (and similar "npx ... @modelcontextprotocol/server-postgres") and pulling the Docker image ghcr.io/github/copilot-cli:latest—to start MCP servers, so these external packages/images are fetched and executed at runtime and thus can directly affect agent behavior.