setup-engine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly uses WebSearch and instructs the agent to "fetch and extract" official migration guides, changelogs, and other documentation from the public web (see Step 3 "Look Up Current Version" and Step 7 "Populate Engine Reference Docs"), so it ingests open third‑party content that the agent reads and uses to drive decisions and generate reference docs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs WebSearch and “fetch and extract from official documentation” at runtime to populate agent-facing reference docs (e.g., fetching from official engine docs such as https://docs.godotengine.org/, https://docs.unity3d.com/, or https://docs.unrealengine.com/), and those fetched pages are injected into the agent’s reference/context that agents are instructed to read—so external URLs fetched at runtime directly control agent instructions.