monitoring-observability

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill’s workflows explicitly fetch and ingest arbitrary web content (e.g., run_content_analysis calling fetch_content(url) in examples/orchestkit-langfuse-traces.md and search_web in references/agent-observability.md), so untrusted public webpages/search results are read and used to drive agent routing, LLM calls, and downstream decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill uses a remote Langfuse host at runtime (e.g., https://cloud.langfuse.com and calls to {LANGFUSE_HOST}/api/public/annotation-queues/{queue_id}/items and get_client().get_prompt()), which is explicitly described as a prompt-management / runtime API that can supply prompts/annotation items used by the agent, so remote content can directly control prompts.