guardrails

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches external, untrusted URLs at runtime — e.g., remote OpenAPI specs are "fetched at runtime and converted into MCP tools" (references/manifest-schema.md), agent_card_url/hosted-a2a-agent sources are fetched and can influence agent behavior (references/manifest-schema.md / API docs), and guardrail provider integrations allow custom/external endpoint_url providers (references/guardrail-providers.md) — all of which the agent is expected to read/interpret and which can change tool capabilities or enforcement decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly documents runtime fetching of external agent cards and OpenAPI specs that control agent behavior (e.g., agent_card_url "https://research-agent.example.com/.well-known/agent.json" and OpenAPI spec URL "https://api.weather.example.com/openapi.json"), which are converted into agent capabilities/MCP tools and thus can directly control prompts or agent behavior.