guardrails

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests untrusted external content at runtime — e.g., remote OpenAPI specs are "fetched at runtime and converted into MCP tools" and hosted agents' agent_card_url and external guardrail provider endpoints are fetched/used (see references/manifest-schema.md and references/guardrail-providers.md), so third-party content can directly influence available tools, agent behavior, and enforcement decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly warns that remote OpenAPI specs are "fetched at runtime and converted into MCP tools that control agent capabilities" (example URL: https://api.weather.example.com/openapi.json) and that hosted A2A agent card URLs are fetched at runtime (example: https://research-agent.example.com/.well-known/agent.json), so external content can directly control agent behavior.