migrate-from-model-serving

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly downloads and ingests artifacts from a user/third-party MLflow Model Serving endpoint (via databricks serving-endpoints get and mlflow.artifacts.download_artifacts into ./original_mlflow_model, including code/, artifacts/, and input_example.json) and then instructs the agent to extract system prompts, tool definitions, and prompts from those files to drive the migrated app, which could embed malicious instructions that influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads remote model artifacts at runtime via mlflow.artifacts.download_artifacts using the artifact URI "models:/{MODEL_NAME}/{VERSION}", and those downloaded artifacts (code/ and artifacts/, e.g., agent.py or prompt templates) can contain executable code or prompts that directly control the migrated agent.