databricks-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scaffolding workflow explicitly tells the agent to run databricks apps manifest --template <GIT_URL> and to derive plugin names/resources from that manifest (i.e., fetch and parse an arbitrary Git URL/template), so untrusted third-party manifest content can directly influence which --features and --set flags the agent constructs and thus materially change subsequent CLI actions.