cloudflare

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted, user-generated content and acts on it — e.g., references/agents-sdk/patterns.md "Email Processing w/AI" reads arbitrary incoming email text, summarizes it with an LLM, and conditionally schedules actions (sendAutoReply), and references/ai-search show crawling/indexing public websites for aiSearch which the agent then uses to generate answers.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's MCP integration shows runtime registration and retrieval of external tools from env.MCP_SERVER_URL (e.g., https://mcp.example.com), where this.mcp.getAITools(...) fetches tool definitions that are injected into the model and can directly control agent prompts/behavior.