personize-code-pipelines

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests open web and enrichment results (e.g., searchWithTavily(...) in pipelines/crm/hubspot-lead-review.ts and enrichment calls in multiple pipelines) and the Personize SDK notes MCP tools like Tavily/Exa are automatically available to ai.prompt()/agents.run(), so untrusted third-party web/news content is read and incorporated into prompts/memorized context that directly drives actions (email generation, follow-ups, escalations).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls external enrichment APIs at runtime (e.g., https://api.tavily.com/search) and injects the returned research results into LLM prompts/memorization flows, meaning content fetched from that URL directly influences agent instructions and generation.