building-with-llms

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly ingests untrusted customer ticket text (Zendesk tickets) into the model context and retrieval pipeline — see the SKILL.md architecture and the eval/with_skill.md examples and red-team cases that show ticket content being embedded and tested for prompt-injection — so user-provided content can materially influence tool calls and model behavior despite defenses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill fetches KB articles at runtime (e.g., https://help.company.com/articles/142) via the search_kb/retrieval pipeline and injects that external content into the model context to control responses, making it a required runtime dependency that directly influences prompts.