truefoundry-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill’s manifest and references explicitly accept and fetch untrusted external content at runtime—e.g., remote OpenAPI specs (references/manifest-schema.md → “MCP Server (OpenAPI)”), hosted A2A agent cards/agent_card_url (references/manifest-schema.md → “Agent”), and huggingface-hub artifacts_download—which are fetched and converted into tools/agents or downloaded and therefore can materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly allows fetching remote OpenAPI specs and external agent cards/MCP endpoints at runtime (e.g., "https://api.weather.example.com/openapi.json" and "https://research-agent.example.com/.well-known/agent.json" / "https://my-mcp-server.example.com/mcp"), which are fetched and converted into MCP tools or agent behavior that directly control agent capabilities — a high-confidence runtime dependency that can control prompts or execute instructions.