claude-agent-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill enables the agent to fetch and ingest arbitrary third‑party web content (e.g., the built-in WebSearch/WebFetch tools and example MCP external servers with URLs like https://api.example.com/mcp and the weather tool that calls https://api.weather.com), which are untrusted public sources and are explicitly consumed/parsed as part of the agent's workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill exposes and encourages use of powerful state-modifying tools (Bash, Write, Edit), includes examples of deployment subagents with Bash, and explicitly documents a "bypassPermissions" mode (used in examples like CI/CD) that skips permission checks—effectively enabling the agent to perform privileged or destructive actions on the host if enabled.