copilot-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SDK's "MCP Server Integration" examples explicitly show connecting to GitHub's MCP server (e.g., mcpServers URL "https://api.githubcopilot.com/mcp/") to access repositories, issues, and PRs, which are untrusted, user-generated third‑party content that the agent will read and incorporate into its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill configures an MCP server at runtime (see session mcpServers URL "https://api.githubcopilot.com/mcp/"), which the SDK connects to during session creation to load pre-built tools/context that can directly influence agent prompts and invoke remote tool behavior, so this is a runtime external dependency that can control agent behavior.