kestra

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests and feeds arbitrary third‑party web content into agents — e.g., references/ai-llm.md shows RAG IngestDocument with fromExternalURLs, contentRetrievers/tools like TavilyWebSearch and GoogleCustomWebSearch, and examples (core.http.Download, ai_data_pipeline) that download inputs.document_url and then pass read(outputs.download.uri) into LLM prompts — allowing untrusted public web/user-generated content to be read and interpreted.