sap-ai-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports grounding/RAG pipelines and application sync that fetch content from external sources such as SharePoint, S3, SFTP and GitHub (see references/grounding-rag.md and references/advanced-features.md / SKILL.md), and those retrieved document chunks and repository-managed prompt/templates are injected into orchestration templates ({{$context}}) that directly influence prompts and model/tool behavior, so untrusted third‑party content can materially change agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill describes automatic Git sync and declarative prompt/template management that fetches repositories at runtime (e.g., https://github.com/org/ai-workflows) — the retrieved prompt templates and workflow templates directly control prompts/instructions and can cause execution of workflows, so this is a runtime external dependency that presents risk.