chatkit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly includes runtime flows that fetch and ingest untrusted third-party content — e.g., the async fetch_data(url) and web_search function_tool examples and the MCPServerStreamableHttp / HostedMCPTool examples in references/mcp.md (and integrated into the server respond() flow in SKILL.md) — and those tool outputs are consumed by the agent and can change its subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime MCP endpoints and hosted tool URLs that the agent connects to to fetch and use tools which directly influence agent behavior — e.g. HostedMCPTool with server_url "https://gitmcp.io/openai/codex" (and examples like "http://mcp-server:8000/mcp") are contacted at runtime to provide tool definitions, and the Stdio example uses "npx -y @modelcontextprotocol/server-filesystem" which fetches and executes remote code, so these are high-risk external dependencies.