azure-hosted-copilot-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and ingest public third‑party docs/code (references/copilot-sdk.md directs use of context7-resolve-library-id and context7-query-docs and even a fallback to github-mcp-server-get_file_contents for the github/copilot-sdk repo, plus azd init templates from azure-samples), and those external files are expected to be read, selected, and used to drive code changes and deployment decisions—meeting all criteria for exposure to untrusted third-party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetching of GitHub repositories/templates (e.g., azd init --template azure-samples/copilot-sdk-service → https://github.com/azure-samples/copilot-sdk-service and fallback to github-mcp-server-get_file_contents for owner:"github" repo:"copilot-sdk" → https://github.com/github/copilot-sdk), and those fetched repo files/templates/snippets are used to scaffold code and supply model context/snippets that directly control prompts or execute code.