modify-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs the agent to add and query external MCP servers (e.g., DatabricksMCPServer/MCPServer with arbitrary URLs such as "https://other-server.com/mcp" and from_genie/from_vector_search/from_uc_function) and then uses client.get_tools() to ingest those tool definitions, so untrusted third‑party service content can be fetched and directly influence the agent's tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly demonstrates adding MCP servers at runtime (e.g., MCPServer(name="external-server", url="https://other-server.com/mcp")), which the agent uses to fetch tools via client.get_tools() — those remote tools are invoked by the agent and can control behavior or execute remote code, so this is a runtime external dependency that directly controls agent execution.