cloudflare-workers-ai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and ingests arbitrary external content that is then used as prompt/context for models — e.g., templates/ai-vision-models.ts's /vision/url endpoint directly fetches user-supplied URLs and the SKILL.md/templates' RAG examples use env.VECTORIZE matches (m.metadata.text) as context passed into env.AI.run, which can let untrusted third‑party content influence model behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The /vision/url endpoint in templates/ai-vision-models.ts performs a runtime fetch of a user-supplied URL via fetch(url) and converts the retrieved image into base64 which is then injected into env.AI.run messages, meaning untrusted remote content (the fetched URL) directly controls the model input/context.