cloudflare

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's AI Search references (references/ai-search/README.md and api.md) explicitly describe crawling/indexing website content and R2 buckets and using env.AI.autorag(...).aiSearch to retrieve that content so agents read and act on third-party (public/user-provided) data, which can directly influence model outputs and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime MCP integration that registers and fetches tool definitions from an external MCP server (example URL: https://mcp.example.com via env.MCP_SERVER_URL) and then passes those fetched tools into model calls (this.mcp.getAITools(...) → streamText), so remote content from that URL can directly control agent prompts/tools at runtime.