cloudflare

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs using AI Search to crawl/index website content (references/ai-search/README.md and api.md show env.AI.autorag(...).aiSearch for website or R2 sources) and the Agents SDK includes email ingestion/onEmail patterns (references/agents-sdk/*), meaning untrusted public or user-generated content is fetched and read by agents and can directly influence responses and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagging env.MCP_SERVER_URL (example: https://mcp.example.com) because the skill shows registering an MCP server at that runtime URL and calling this.mcp.getAITools(...) to load remote tool definitions which are injected into the agent's model context and can directly control agent prompts/behavior.