aws-strands-agents-agentcore

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly includes a managed "Browser" web-automation tool (references/architecture.md and references/limitations.md) and shows examples using a web_search tool, meaning agents can fetch and interpret public websites/third‑party web content (untrusted user-generated sources) as part of their workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill dynamically loads and registers tools from MCP endpoints at runtime (e.g., http://mcp:8000/mcp / http://mcp-database.internal:8000/mcp), which the agent then uses to execute remote tool logic and control behavior, so these URLs are runtime dependencies that can directly execute code or affect prompts.