sap-ai-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests external, potentially untrusted content — e.g., Applications (Git Sync) in references/advanced-features.md shows auto-sync from GitHub repository URLs and references/grounding-rag.md shows pipelines that pull documents from external sources (SharePoint/S3/SFTP) whose retrieved chunks are injected into prompts via the templating module ({{$context}}), so third‑party/user‑generated content can be read and materially influence LLM prompts and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill documents an automatic Git sync for applications and declarative prompt templates that fetch repository content at runtime (e.g., "https://github.com/org/ai-workflows" / "https://github.com/org/training-workflows"), and that fetched GitHub-hosted templates can directly define prompt templates and executable workflow templates (Argo workflows) that control agent prompts and run code.