ai-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "MCP Client" section shows connecting to arbitrary MCP servers (createMCPClient with a remote URL like https://my-mcp-server.com/sse) and calling await mcpClient.tools() and then passing those tools into generateText, which clearly ingests untrusted third‑party/tool definitions that can influence agent tool selection and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The example creates an MCP client at runtime using the transport URL "https://my-mcp-server.com/sse", then calls mcpClient.tools() and injects those tools into generateText—meaning remote content from that URL can supply tool definitions that directly control agent behavior and execute actions, so it is a runtime dependency that influences agent prompts/execution.