a2ui

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts and parses external/third-party catalog/schema content (e.g., the client-provided inlineCatalogs and supportedCatalogIds, and instructions to inject the standard catalog from GitHub) as part of its catalog negotiation and prompt-building flow (see reference/catalog-negotiation.md and reference/agent-prompting.md), so untrusted/user-provided content would be ingested and interpreted by the agent.