add-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (agent_server/agent.py and examples/custom-mcp-server.md) explicitly instructs the agent to connect to external MCP servers via arbitrary URLs and call mcp_client.get_tools(), meaning the agent will fetch and ingest third-party/untrusted tool descriptions and content that can alter its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instantiates DatabricksMCPServer with runtime URLs (e.g., https://mcp-my-server.cloud.databricks.com/mcp and {host}/api/2.0/mcp/genie/{space_id}) and calls mcp_client.get_tools(), which fetches remote tool definitions at runtime that directly affect the agent's available instructions/behavior.