microsoft-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and consume public third‑party content—notably listing and downloading samples via the GitHub API in "foundry-agent/create/create.md" (Step 3–4) and using real-time web search/Bing grounding and remote MCP servers (references/tool-web-search.md, tool-bing-grounding.md, tool-mcp.md)—and that untrusted web/GitHub/MCP content is intended to be read and used to select samples, ground responses, and drive tool invocations, so it can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The create workflow instructs the skill at runtime to fetch and download starter code from the GitHub API (e.g. https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/samples/{language}/hosted-agents/{framework}), and that fetched code is then used/run as the agent (i.e., remote code that the skill relies on), which meets the criteria for a runtime external dependency that can execute code.