workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and converts remote third-party content at runtime — e.g., remote OpenAPI specs for MCP servers ("MCP Server (OpenAPI)" with spec.type: remote and url) and hosted A2A agent cards/agent_card_url ("Agent" section, hosted-a2a-agent) — which are untrusted external URLs that are parsed into MCP tools or agent behavior and can directly change tool capabilities and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote OpenAPI specs (e.g. https://api.weather.example.com/openapi.json) and hosted A2A agent cards (e.g. https://research-agent.example.com/.well-known/agent.json) at runtime, and those fetched documents are converted into MCP tools / agent behavior that directly control agent capabilities and prompts.