microsoft-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows explicitly fetch and consume public third-party content—e.g., the Create Hosted Agent workflow (foundry-agent/create/create.md Step 3–4) uses the GitHub contents API and curl/gh to download sample code, and the tool references (references/tool-web-search.md, tool-bing-grounding.md, tool-mcp.md) enable real-time web/Bing/MCP results that the agent is expected to read and act on—so untrusted web or repo content can materially influence tool choices and actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Create workflow instructs the skill at runtime to call the GitHub contents API and curl download sample code (e.g., GET https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/samples/{language}/hosted-agents/{framework} and the repo https://github.com/microsoft-foundry/foundry-samples), which fetches remote code and sample agent instructions that are then used to seed/run hosted agents—so this is a runtime external dependency that can control prompts and execute code.