build-copilot-sdk-app

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports connecting to external MCP servers and arbitrary URLs (see references/agents-mcp-skills.md — "Remote HTTP/SSE MCP server" with a configurable url and headers) and the permissions docs show that MCP and URL access (and an approveAll shortcut) will deliver tool results into the session, so untrusted third‑party content can be ingested and directly influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime MCP server configs that launch remote packages via npx (e.g., "npx -y @modelcontextprotocol/server-github" and "npx -y @playwright/mcp@latest") and an example remote MCP endpoint ("https://api.githubcopilot.com/mcp/"); these are fetched/executed at runtime and can inject tool results directly into the model context, so they meet the criteria for a high-risk external dependency.