access-control

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly describes fetching runtime third-party content — e.g., agent_card_url for hosted-a2a-agent and remote OpenAPI spec URLs in references/manifest-schema.md (MCP Server / OpenAPI and Agent Source sections) — which are converted into MCP tools or agent behavior and therefore can inject instructions that influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly allows remote OpenAPI specs and hosted A2A agent cards to be fetched at runtime (e.g., "https://api.weather.example.com/openapi.json" and "https://research-agent.example.com/.well-known/agent.json"), and those fetched documents are converted into MCP tools / agent behavior that directly control agent capabilities and prompts, so they are runtime external dependencies that can influence agent instructions.