azure-env-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly instructs the agent to fetch external content (e.g., "mcp_bicep_experim_list_avm_metadata" and "microsoft_docs_search" in SKILL.md) and the templates include remote URIs for CustomScriptExtension (e.g., https://raw.githubusercontent.com/yourrepo/scripts/squid-setup.sh), so the agent will ingest and act on untrusted public/user-generated content that can influence code generation and deployment decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Bicep VM config includes a CustomScriptExtension that fetches and executes remote code from https://raw.githubusercontent.com/yourrepo/scripts/squid-setup.sh (fileData uri + commandToExecute), so the skill uses an external URL at runtime that will execute fetched code during deployment.