ai-sdk-6

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly documents fetching and injecting external documents and tools from external MCP servers (see the "Async prepareCall with RAG" example in references/agents.md that awaits vectorSearch and injects documents into instructions, and the MCP integration in references/mcp.md which shows createMCPClient(), mcpClient.tools(), readResource(), and experimental_getPrompt() pointing to arbitrary external URLs), meaning untrusted third‑party content can be read and directly influence agent instructions and tool usage.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The examples show a runtime MCP client connecting to URLs like https://your-server.com/mcp (and similar hosts such as https://weather-server.com/mcp, https://data-server.com/mcp) via createMCPClient and then calling mcpClient.tools(), mcpClient.experimental_getPrompt(), and mcpClient.readResource(), which fetches external prompts/tools at runtime and can directly control agent instructions or provide executable tools—so this is a runtime dependency that controls prompts/code.