truefoundry-workspaces

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the skill fetches external agent/MCP/OpenAPI endpoints at runtime that can change agent behavior (e.g., agent_card_url "https://research-agent.example.com/.well-known/agent.json", OpenAPI spec "https://api.weather.example.com/openapi.json", and MCP endpoint "https://my-mcp-server.example.com/mcp"), which are runtime-fetched and used to generate tools/prompts and thus pose a high risk if untrusted.