agentic-coordination-protocols

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly describes runtime flows where clients fetch and parse public Agent Cards and registry entries (e.g., ".well-known/agent-card.json", PulseMCP, mcp.so in the "Discovery" and "Agent Cards" sections) and where the LLM is expected to read server-provided tool/resource/prompt descriptions (see "Tools", "Resources", "Prompts", and "Sampling"), meaning untrusted third‑party content is ingested and can directly influence tool selection and agent actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The A2A spec requires clients to fetch Agent Cards at runtime from URLs like https://{server_domain}/.well-known/agent-card.json, and those cards contain natural-language skill descriptions that are ingested by LLMs to select/drive agent behavior—i.e., externally fetched content directly controls prompts/selection.