otel-declarative-config

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly instructs the agent to WebFetch public files from GitHub (e.g., raw.githubusercontent.com/open-telemetry/opentelemetry-configuration/... listed in "Sources of Truth" and the "Workflow when generating YAML") and to read/interpret those untrusted, user-editable third-party documents to build and validate configuration that can materially affect subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs WebFetch calls at runtime to raw GitHub URLs (e.g. https://raw.githubusercontent.com/open-telemetry/opentelemetry-configuration/main/opentelemetry_configuration.json and https://raw.githubusercontent.com/open-telemetry/opentelemetry-configuration/main/examples/otel-sdk-config.yaml) to obtain schema and example templates that are then used to drive generation/validation of configs, so the fetched remote content directly controls the agent's outputs and is a required dependency.