upstash-box-js

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly shows fetching and ingesting public, user-generated content—e.g., box.git.clone({ repo: "github.com/org/repo" }), the skills array that pulls GitHub repos (skills: ["upstash/qstash-js"]), and mcpServers with external URLs in SKILL.md—which the agent is expected to read/operate on and could therefore be influenced by untrusted third-party instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill examples show runtime-loading of external agent skills and MCP servers — e.g., the GitHub skill reference "upstash/qstash-js" (GitHub repo) in skills: ["upstash/qstash-js"] and the MCP server URL "https://mcp.example.com/sse" in mcpServers — both are fetched/attached at Box.create time and can inject behavior or context that directly controls agent instructions or execute remote-provided tool code.