a2a-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly discovers and consumes arbitrary remote Agent Cards and remote agent endpoints (e.g., A2ACardResolver.resolve(...) in templates/a2a-client.py, templates/multi-agent-orchestration.py, examples/* and the scripts/consume-agent.sh which curls /.well-known/agent.json) and then delegates tasks to those remote agents via send_task, meaning the agent will read and act on untrusted third‑party content provided by arbitrary URLs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime discovery via A2ACardResolver.resolve on URLs like https://remote-agent.example.com (and similar remote-agent URLs such as https://research-agent.example.com, https://inventory.example.com), and the fetched Agent Card fields (name/description/endpoint) are injected into agent instructions and used to create send_task tools that delegate execution to remote agents—meaning remote content directly controls prompts and causes remote code execution at runtime.