trigger-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly enables an agent to perform web searches and fetch arbitrary URLs (see references/ai-tool.md "Common Pattern: Research Agent" where webSearch calls searchWeb(query, ...) and readUrl runs fetchAndParse(url)), so the agent ingests untrusted public web content/tools and may read/interpret user-provided pages during its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill exposes a runtime tool readUrl that performs fetchAndParse(url) on arbitrary URLs passed at runtime (i.e., any https://... URL provided to the readUrl tool), and those fetched contents are returned to the LLM via ai.tool—meaning external web content fetched at runtime can be injected into and directly influence prompts/context.