gcp-agent-eval-engine-runner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and streams runtime content from an arbitrary shadow_url—notably fetch_agent_info() calls {shadow_url}/apps/{agent_name}/agent-info and _run_inference() streams events from {shadow_url}/apps/{agent_name}/run_sse—and then uses the returned agent_info and streamed events as context for the judge/evaluation and downstream decisions, so untrusted third-party content could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches agent instructions at runtime from the ADK endpoint f"{shadow_url}/apps/{agent_name}/agent-info" (and uses it as the required agent_info for evaluation), so external content from that URL directly controls prompts/context used by the runner.