microsoft-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Create Hosted Agent workflow (foundry-agent/create/create.md Steps 3–4) explicitly uses the public GitHub API and curl/gh to list and download sample files from a public repo and requires reading README.md and sample code, and the skill also enables Web Search/Bing grounding tools that retrieve live public web content—both are untrusted third‑party sources the agent is instructed to read and which can materially influence decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs runtime fetching of sample code from the GitHub Contents API (e.g., GET https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/samples/{language}/hosted-agents/{framework} and then curl'ing the returned download_url) and then installing/running that code, which means remote content is fetched at runtime and executed.