agent-native-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs agents to perform web searches and fetch arbitrary URLs (e.g., WebTools.webSearch / webFetch in architecture-patterns.md and the call_api/fetch URL tool in references/mcp-tool-design.md and from-primitives-to-domain-tools), so the agent will read and act on untrusted, public third‑party content that can influence subsequent tool calls and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly recommends unrestricted primitives like write_file and bash (e.g., "Write any file", arbitrary path strings) and encourages agent self-modification and autonomous loops, which could allow editing system files or running arbitrary shell commands (including actions that require sudo) unless strong sandboxing and approval gates are enforced.