autonomous-agent-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests web content (ContextManager.add_url using requests.get and html_to_markdown) and navigates/reads pages (BrowserTool.open_url and get_page_content, VisualAgent.describe_page/find_and_click), then injects that untrusted URL/page content into prompts/context for the agent, allowing third-party text to influence tool calls and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). ContextManager.add_url calls requests.get(url) at runtime and appends the fetched page content into the agent context/format_for_prompt, meaning any arbitrary URL fetched via requests.get(url) can directly control the LLM prompt content (e.g., requests.get(url)).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill exposes powerful file-editing and shell-execution tools (read_file, write_file, edit_file, run_command, dynamic code/server creation) and includes no enforced sandboxing or path checks in those implementations, so an agent using it can modify system files or execute commands that change the host state despite some suggested mitigations.