databricks-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs agents to browse and preview user-uploaded Unity Catalog Volume files (references/appkit/files.md shows FilePreviewPanel and fetch of /api/files/... previews) and to use the Genie plugin which streams natural-language message and query results (references/appkit/genie.md), both of which expose untrusted, user-generated content the agent is expected to read and that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill repeatedly instructs running "npx @databricks/appkit docs" (which fetches and executes code from the npm registry, e.g. https://registry.npmjs.org/@databricks/appkit) and allows scaffolding from a remote git template via "databricks apps init --template <GIT_URL>" — both are runtime fetches that execute or install remote code and the guidance treats them as required steps for scaffolding/docs.