truefoundry-tracing

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly warns that remote OpenAPI specs and hosted A2A agent cards are fetched at runtime and can change agent behavior—e.g., the OpenAPI example URL "https://api.weather.example.com/openapi.json" and the agent card URL "https://research-agent.example.com/.well-known/agent.json"—so these external URLs, when used, are runtime dependencies that can directly control agent capabilities.