agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests external, potentially untrusted URLs at runtime (e.g., agent manifest's "agent_card_url" for hosted-a2a-agent and remote OpenAPI specs under references/manifest-schema.md / MCP server openapi "spec.type: remote"), and those fetched documents are converted into agent tools/behavior that can materially influence actions—exposing the agent to indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly allows registering hosted A2A agents and remote OpenAPI MCP specs that are fetched at runtime (e.g., agent_card_url "https://research-agent.example.com/.well-known/agent.json" and spec.url "https://api.weather.example.com/openapi.json"), and the manifest/schema text states these remote URLs are fetched and converted into MCP tools or agent cards that directly influence agent behavior—so they are runtime external dependencies that can control agent instructions.