python-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation (references/agent-patterns.md RAG Pattern showing an app_tool "search" calling tavily/search-assistant@latest, references/tool-builder.md with internal_tools().web_search(True), and references/sessions.md showing a "browser-automation" app that opens arbitrary URLs) explicitly instructs agents to fetch and read open web pages/URLs and use that content to drive responses and actions, exposing the agent to untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill examples include a skill with "url": "https://example.com/skills/api-docs.md", which is strong evidence the SDK will fetch that remote document at runtime to inject reusable context into the agent (thereby directly controlling prompts), so this external URL is a runtime dependency that can alter agent instructions.