aws-agentic-ai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's services/browser/README.md explicitly documents browser actions that navigate to arbitrary URLs, execute JavaScript, and extract page content (e.g., "navigate", "getText", "evaluate") and describes returning and processing extracted data (Result Processing and Browser←→Memory/Code Interpreter integrations), so agents will ingest untrusted public web content that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs uploading an OpenAPI schema to an S3 URI (e.g., s3://<BUCKET_NAME>/schemas/my-api-openapi.yaml) and uses that S3 schema in the create-gateway-target endpoint-configuration at runtime, meaning external content fetched from that URL is required and can directly determine the agent's tool/schema behaviour (i.e., control the agent's available instructions), so it meets the criteria for a runtime external dependency that controls agent behavior.