add-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to connect to external MCP/Genie servers (e.g., agent_server/agent.py and examples/custom-mcp-server.md showing urls like https://mcp-my-server.cloud.databricks.com/mcp) and calls mcp_client.get_tools(), meaning the agent fetches and ingests third-party tool definitions from arbitrary external MCP apps which can materially change tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instantiates a DatabricksMCPServer pointing at a runtime URL (e.g., https://mcp-my-server.cloud.databricks.com/mcp) and calls mcp_client.get_tools() to fetch tool definitions that the agent will use, so the fetched remote content can directly control agent prompts/actions at runtime.