claude-agent-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's documentation and required workflow explicitly enable the agent to fetch and ingest open web and API content (e.g., "WebSearch" / "WebFetch" in SKILL.md, HTTP/SSE MCP servers in references/mcp.md, and external-API examples in references/custom-tools.md), so the agent will read untrusted third‑party pages/APIs that can influence tool choices and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains runtime MCP server configurations that fetch and execute external code or expose remote tool endpoints—e.g., launching npm packages via npx (args ["-y","@modelcontextprotocol/server-github"]) and connecting to remote MCP endpoints like "https://api.example.com/mcp/sse"—which are executed/queried at runtime and can supply tools or instructions that directly control the agent.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly enables running arbitrary Bash commands, editing/writing files, auto-approving edits (including mkdir/rm/mv/cp) and launching external MCP processes (npx), which directly enable modifying the host system and executing arbitrary commands even though it does not explicitly instruct sudo escalation or creating users.