access-control

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's manifest and references explicitly allow registering remote sources that are fetched at runtime — e.g., MCP server OpenAPI specs (references/manifest-schema.md "MCP Server (OpenAPI)" with remote spec URLs) and hosted A2A agents via agent_card_url (references/manifest-schema.md "Agent" / "agent_card_url") — which the agent converts into tools or uses to control behavior, exposing it to untrusted third-party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill documentation explicitly states hosted-a2a agent sources are fetched at runtime and can influence agent behaviour (example agent_card_url: https://research-agent.example.com/.well-known/agent.json), so this remote URL pattern is a runtime external dependency that can control agent prompts/capabilities.