truefoundry-access-control

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and fetches remote, user-supplied URLs—e.g., MCP server OpenAPI specs (spec.type: remote, spec.url) and hosted-a2a-agent agent_card_url—which are fetched at runtime and converted into MCP tools/agent behavior, so untrusted third‑party content can be ingested and materially alter the agent's tools and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The manifest explicitly permits registering OpenAPI-backed MCP servers whose remote spec URL (e.g., https://api.weather.example.com/openapi.json) is fetched at runtime and "converted into MCP tools that control agent capabilities," meaning the external URL is used at runtime to directly control agent behavior.