notebooks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's references explicitly instruct the agent to fetch and parse external release pages for container versions (references/container-versions.md) and to fetch remote OpenAPI specs and agent_card_url endpoints at runtime (references/manifest-schema.md / MCP server / Agent sections), which are untrusted third-party sources that can be parsed and converted into tools or influence deployment choices.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote agent cards and OpenAPI specs at runtime (e.g., https://research-agent.example.com/.well-known/agent.json and https://api.weather.example.com/openapi.json), and those fetched resources are converted into agent/MCP tools that directly influence agent behavior and capabilities, so they are runtime external dependencies that can control prompts or tool execution.