ag2-network-tools-and-views

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's default handler and view projection explicitly read the channel WAL (EV_TEXT envelopes) and peer skill_md (via peers(action="describe")), feed that user-generated content into the LLM turn (resolve_view_policy → project → agent.ask), and therefore untrusted third-party messages can materially influence tool use and next actions, enabling indirect prompt injection.