a2ui-knowledge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs the agent to parse client-supplied a2uiClientCapabilities (including inlineCatalogs) from message metadata and to pick/load the supplied catalog per-surface (see references/v0.8/custom-catalog.md and references/v0.9/custom-catalog-guide.md), meaning arbitrary user-provided catalog documents are ingested at runtime and can materially change schemas, functions, and agent behavior.