ai-gateway

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows registering remote OpenAPI specs and hosted A2A agents that are fetched at runtime (see references/manifest-schema.md: "Remote specs are fetched at runtime" and the Agent section explaining agent_card_url / hosted-a2a-agent are fetched and can influence agent behavior), meaning untrusted third-party URLs can supply content that the agent will parse and act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill docs and manifest schema explicitly state that hosted A2A agents and MCP servers fetch external resources at runtime (for example the agent_card_url "https://research-agent.example.com/.well-known/agent.json" and remote OpenAPI spec "https://api.weather.example.com/openapi.json"), and those fetched artifacts are converted into agent tools/agent behavior (directly controlling capabilities/prompts) and are required for those resource types, so they represent a runtime external dependency that can control the agent.