elevenlabs-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on external, potentially untrusted content at runtime — e.g., Server Tools (webhooks) that call arbitrary external URLs (see "Server Tools (Webhooks)" and get_weather example), the Knowledge Base & RAG flow that retrieves uploaded/public documents during conversations ("Knowledge Base & RAG"), and MCP Tools that connect to third‑party MCP servers — all of which the agent reads/interprets and can change tool calls or responses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes explicit runtime MCP server endpoints (e.g., "server_url": "https://my-mcp.workers.dev/mcp" and "https://your-mcp-server.com") which ElevenLabs calls via JSON‑RPC at runtime to invoke tools — these external servers execute code and return responses that directly affect agent behavior/prompts, so they are high-risk runtime dependencies.